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From the Editor 


m M MeVe all now mostly rested from WWDC 2009 and back wath another information-packed Lssue. For 
mmmm some reason, the week of alw^ays turns out to be much more hectic tlian 1 tliink it wOl l^e. 

m W There’s the public opening keynote, and the ensuing discussions, of course. But then sessions start 
up, and meetings with Apple Engineei^, and dinners witli co-workers and friends, and communication witit 
people who didn’t attend the conference (family co-workers, etc.), and on and on. 

Interestingly for a conference as old as WWDC, it's sdlJ being shaped, or coming of age. TliLs year was 
nearly dominated by iPhone development. 65% of WWDC attendees were new' (it w^as their first time attending 
the conference). That's astounding, interestingly the session attendance bore tills out: most any lieginner’ or 
Introduction to. ..’ session w^as filled to aipacity The Apple universe is once again in a period of growth. What 
a great time to be wrapped up technologically witli Apple products. 

Despite the heavy iPhone inlluence, tliere w'as still plenty to dig into. Of course, since iPhone development 
is Objective^C based, tliere’s a lot of overlap between iPhone and Mac OS X development, and many sessions 
reflected that, Hie IT tracks seem to he getting die squee 2 e, but as I’ve mentioned many times in the past, there 
are many “developer*’ topics that are ideal for IT people. If you consider yourself an IT person and want to push 
yourself, you should be paying attendrjn to many of diese topics, such as scripting and the Cocoa API. 

Of course, tiiere are also the Labs, where you can interact directly with Apple Engineers. Hie Labs were 
larger this year and took up more of the dining are on Uie ground flcKir. This is a fantastic opportunity to show 
an Apple Engineer —someone w^ho can really do something—a problem that youTe having or a reproducible 
hug. 


Perhaps it’s l>ecause 1 didn’t attend tcx) many iPhone sessions, but the conference once again Mi personal 
to me, and a little exclusive. Well have to see where Apple takes ail of this as tlie show is now' selling out 
entirely, Adding capacity takes away from one of the main draws of the show: time with an Apple Engineer. The 
interaction betw^een all of the various disciplines is too valuable to break into separate shows. But somediing 
has to give at some point, one would imagine. 

MacTech in June—handed out to attendees in line for die keynote at W'XTJC—was die largest issue in a 
w'hile. Up top, howe\^er, 1 promised an information-packed issue. So, how^ do we ibllow up from last month? 

First, we start with an ardcle dial tits the mold of what IVe lieen describing peifcctly: Greg Neagle covers 
ScTipting Opportunities for System Administrators. Possibly die best thing alx)Ut OS X Ls tlie addition of common 
scripting languages like bash, Fydion, Perl and Ruby. 

This month’s Mac in the Sliell also covers a topic on die scripting front: text parsing in PydKm. Spedficallyf 
pulling text out of e-mail messages. 

A topic of interest to everyone is Demysiilying PKL Security should lie a top concern in any techm)logy 
effort. Public Key infrastructure is the prevalent way to protect data in transit and verify* identity. 

Criss Myers retiims with an ardde covering JAMF Software’s Casper, specifically for imaging. Casper ha,s 
become an increasingly important tool in many Sys Admin’s toollioxes. It is very gocxl at w'hat it does and 
contains a broad range of utility. Let Criss demonstrate how^ using Casper can make a Sys Admin’s job easier. 

Hiis month features a very special Road to Code. Dave Dribin interview's Brad Cox, the co-inventor of 
Objective-C. It’s really interesting to hear about the origirLS of die language (that is now used to develop for 
every Macintosh and iPlione on Earth) and to see w'hat he’s doing now, 

Microsoft’s Sli^irepoint is a really incredible document storage and workflow^ server. OS X clients have long 
been second-class citizens when working in a Sharepoint environment, Well, I can’t say that we re seeing feature 
parity with Windows here, but, the recently released Service Pack 2 for Office 2008 brings dmmatic 
improvement to die Sharepoint experience from a Mac. 

Hopefully, you’ve .soaked in all of the material from WWDC and haw some great new idea,s. Let us know 
liow' you’ve lieen inspired: correspondence to feflers@mactech.com, See you next month! 


Edward Marezak, 
Executive Editor 
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Mac in me Shb± 

by Edward Marczak 


Python Text Parsing 

Automating entries through 
keyword searching 


Introduction 

We’ve lieen covering Python basics over the last several 
ccjlumns. Tliis month, we’ll hit something with a little practicality: 
text prtxessing, Wliile computers are really good witli numlxrs, 
people are really gcxxl with words. More often than not, input from 
petjple a>mes as text. Turns out that Python is pa^tty gocjd at 
dealing with text prrxessing and mtjnipulation. Let’s have a closer 
kx)k, shall we? 

More To The Story 

OK, tliere’s a little bit more to lire sloiy, IVe dealt with e-mail 
systerns and e-mail processing for a very kmg time, (Let's just say 
tliiit 1 staric^i witli sendmail before it used m4, mmmmkay?). 
Oftentimes, tliough, wc want a program dealing witli incoming 
mail. 'lliLs m:iy be for the purposes of a mailing list, for auto- 
resfx>ase or to parse the e-mail and then put relevant bits into a 
ditabase. 

E-mail is either really complex or really simple, depending on 
how^ you look at it. It’s complex lieeause it's got headers and 
encoding and parts. But its simple, lxcau.se ii’scil! text. No matter 
wiiat all of tlie piec'es are, tliey're all just human readable text. 
Fortunately, tJiere are many pre-buill libraries tliat help deal with 
die complexity, allowing you, tlie saipl writer, to focus on the task 
at kind: pr(x:essmg the parts of tlie message Ixxiy that you’ie 
interested in. Python’s 'Iratteries included” philosophy ensures that 
a gfx)d mail proces^sing library ships as part of the core package. 

Hew is any of this Mac-specific? Well, it isn’t. Not directly. 
Hewtwer, 1 just mentioned that Python has, by default—no extra 
installatic;n reciuired—a gcxxl e-mail processing liltrary. Python 
ships standard with OS X, That’s parr of the equation solved, llien, 
there’s tlie Issue of receiving tlie mail in tlie first place. 

Just alx)ut every contemporary mail system kis a method of 
taking incoming mail and feeding it to a script. Postfix, which sliips 
with OS X, is no exception. By default, an SMTP (Simple Mail 
Transfer ProtocoB server wants to receive mail, decide if’ die mail 


is for a valid user on it’s system, and to then drop dial mail in the 
user’s mailbox. That’s it. But wliat about a list server? Well, you take 
die same SMTP server, but instead of delivering any mail to an end 
user’s mailbox, you liand all mail off to the list server program. The 
list server program will determine w^ho to deli\'er thi.s mail to. 

Tliis is aLso similar to server-side anti-spam. All incoming mail 
is handed off to an anti-spam progr^im. Tlie mail is analyzed, 
potentially acted upon (read: dropped), and mail is then fed hack 
into die SMTP .server for final delivery. 

We’re not going to do anything so grand here today, but after 
flnisliing up, you’ll have the groundwork. If you have an OS X 
machine ading as a mail lelay and really want to test/use this, 
youVe going to need to mcxlify .some postfix config files directly, 

In /etc/po-stfix/transport, you’ll need to fiist define a transport, 
let’s say your main mail server is called mail.example.cora. If you 
want to divert mail to a script, have the mail sent to 
mproc.example.com, and add die following like to 
/etc/postfix/transpoit: 

inproc.example*eon tnproc: 


Tliis says, ’"all niiiil that arrives for mprtxr.csamplex’om send it to 
the tmns|xjrt named mproc.*' Once a transport Is defined, we also 
need to tell posdix how^ to connect the dots l>etw^een the traasport 
named mproc and our script. Tliat happens in 
/etc/pcxstfix/iiiaster*cf. Add tlie following line to the end of the file: 

mproc ludjL n n - pipe 

flags=DRhii iLsar===tiiprac argv=/itsr/biii/iiiproc. py 


This tells ptJStfix that any mail arriving on the mproc transport 
should lie piped to the mproc.py script. Tliis is, of course, assuming 
that we store our .sc'ript in /iisr/bin as "mproc.pyL Adjust as needed. 

Of couise, w'e're going to keep it simple: since tlie text w^ill be 
[liped into the script, ifs easy to simulate. Ihe pipe simply delivers 
the entire message on stdin. 

A Text Processing Script 

Again, we said diiit w'e’re really focusing on prexessing e-mail 
jis it arrives, so, w^e’ie going to look for input via stdin (which the 
pipe alxive does for us). Other text processing scripts may want to 
deal with text already in a file or elsewlicre. I’ll make .sure to cover 
tliat in a future column, but that’s not the g(xil of tcxkiy’s exercise. 
Despite keeping it simple,^ we’ll lie covering a few' new-to-us 
concepts. 

Here’s die assignment: currendy, stcxrk infomiadon arrives via 
e-mail where a dedicated person r<^ids die mail and inpuLs the 
entries into a database. Tliis pen^m could clearly be doing better 
diings, as this can be automated mthout changing the backend 
system that Ls sending the e-mail meH,sage (whether thats a person 
or a machine Is immaterial for this article). These messages will 
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have a stria format: category and value, separated by a colon. The 
body of a message would look like this: 

Company: Cartier 
Product: Watch 
Model: Original Tank 
Number: 12324A332 
Price: $4,500 
Available: Yes 

However, there’s a problem when parsing an e-mail message: 
it's never just tlie body that you receive. It's headers. And MIME 
parts. Oy. Fortunately Python’s email library has limctions to deal 
with this. 

I say let's dive right in. Here’s the ccxle Pm usirig, wliich will 
be foQowed by an explanation of the program. 

Listing 1: e-mail parsing program, epp.py 

#!/usrybin/env python 

import email 
import re 
import sys 

from email^Parser import Parser 
f The keywords we're looking for 

keys = [ ■Company". 'Produc t \ 'Mod el', 'Numb e r \ 'Price', 
'Available'] 

# Compile each keyword into a regular expression 
keysre = [ ] 


for i in keys: 

keysre[1] “ re.compileCi) 

# Read stdin into a single string 
mystdin = sys.stdin.read() 

if Create a parser abject and parse the input 
p = ParserCJ 

ps = p.parseStr(mystdin) 

Jf Examine each message part for an appriprlate plain body 
for i in ps.walkC): 

if i.get_content_subtype0 1= ''plain'’: 
continue 

plainbody = 1.as_string() 

# Break message into lines, based on newline char 
plainbody = plainbody.splitlines 0 

for i in plainbody: 

Jf Look at eaiih key for a match, 
fot k in keys: 

if keysre[k],match (i): 
print i 

sys.exit(D) 

Fiist thing to notice about the code is the relative brevity—37 
lines in total. As usual, the first few lines simply get us set up: she¬ 
bang line and relevmit impc:)rLs, including the Python-supplied 
email module. 

ffl/usr/bin/env python 
import email 
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import re 
import sys 

from email,Parser import Parser 

TlieR? have been a times in this column tliat IVe mentioned die 
importanc'e of regular expressions (RE), Python has good support 
for RE From the re module: 

The keywords ve"re looking for 
keys ” [‘Company*, * Product'* ‘Hodel*. ‘Mumber''. ‘ Price \ 
■Available' 1 

# Compile each keyword into a regular expression 
keysre “ [J 
for i in keys: 

keysre[i] = re,compile(i) 

Wiiat is happening liere Ls tliat we define a list uf the keyw'cjrds 
we're going to lie kxiking for in die messttge Ixxly. PydKin regular 
expressioas need to lie compiled into an object, which is w^hy we 
define die keysre dictionary. Of cxjurse, we could define tliese 
objects one at a time, hut tlmi's really ineleg^int and doesni ,scale. 
In die loop, die dictionary is filled with keys that correspond to the 
words we'a* going to match, with a value of die ainipiled RE 
object, 

if Raad stdin into a single atring 
mystdin = sys .stdin .rEadO 

if Create a parser object and parse the input 
p “ ParserC) 

ps “ p.parsestr(mystdin) 


The first part of this section is pretty simple: assign all of stdin to 
die variable mystdin. Part of the email library is the email paixer 
object. This object allows an e-mail message^ headers, MIME parts 
and all to be paiml, iterated over and picked apart. We’re defining 
a new^ parser objed and then loading the variable ps with a par.sed 
version of the message diat’s arriving on stdin. 

if Examine each mess^g^ 'part for an appropriate plain body 
for 1 in pa,walk(): 

if i.get_content_subtyp6() 1= "plain**: 
continue 

plainbody “ i.as_stringO 

Tills section of tile code kinds us back die [ikin part of die 
message. MUVIE types ;ire descriiied in tw^o parts, such as 
' text/html”. We're only interested in the [ilain poition of die 
message if tfierc are additional pails in die message. The 
conditional tests ti‘ the subpart Is not plain. If it is not, w'e continue 
and go back to die top of tile loop. If it is plain, we lull though and 
assign the entire subpart. as a string, to the variable plainbody. 

# Break message Into lines, based on newline char 
plainbody = plainbody.splitlinesO 

'Hie splitlines (} string method returns a list, each element a 
line in the string, split by a separatoi—by default, the newline 
character. Now. we cm examine each line in turn: 

for i In plainbody: 
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# Look at each key for a raatcb. 
fot k in keys: 

if keysrefk].match(1)t 
print i 

As we examine each line, an If statement tests fof a match of our 
regular expressions by lcx>ping tlirough tlie keysre dirctionary. If 
tliere’s a match, we prim it out. Naturally, we can take other action 
here besides printing it out, such as storing it internally, comparing 
it to some known value or even inserting it into a database. One 
thing you w^ill likely want to do is to split tlie matching lines into 
key/value pairs. The string's split method does this very nicely. For 
example: 

key, value LspIitCV) 

Hie argument to split is die separator to split on. In our case, 
we Imow tlie lines are split by the colon character and that we're 
expecting hack twc:) valuer. The split method will happily split as 
many limes as needed. In the case wdiere you don't know how 
many values to expect, you may just want to assign to a kst, like 
SO: 


values = i.split(V) 

From there you can w^ork out how many values were split and 
returned to you, and wiiat to do witii them. 

Finiilly, we exit the progmm w ith a 'clean' exit code: 
sys.exit(0) 

Running the Prograni 

If yc}u don't hapjien to have any test e-m;Lii sitting around, Tve 
placed one on the MacTech ftp site, under this month^s directory 
(flp://ltp,fnactech.com). If you run your own mail .server, you can 
actuitlly just go grab a raw^ mes.sage from the mail .spool—^your mm, 
mail, mind you! 

Since the instRictions 1 gave in the first part allow postfix to . 
.send incoming mail through a pipe and to the application, we need 
a more convenient way to test. The command line makes this easy; 
just pipe it yourself. Don’t tbiget to mark the program as 
exectiiable: 

chmod 770 epp«py 


and then pipe away: 

cat /path/to/mltfi_test_itiail | ./epp.py 

(or, substitute die ./ with die full ptith to the program, if needed). 
If you're using die test mail from die MacTedi ftp site, you should 
see the output you expect: the values that we'ne matching on, widi 
no headers, MIME clutter, etc. Take a Icxik at the original test mail 
hie to see just how mudi CTuft is being left out. 
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Conclusion 

This was a bit of a whirlwind tour of several concepts. Td 
encourage you to bulk up an application like tliis by checking for 
eraor conditions and then taking appropriate action. Outside of 
that, though, it’s pretty impressive at liow few dedicated commands 
ate needed to process a well-formed e-mail message. The rest are 
really just *nuLs imd Ixilts' features of tlie language. 

Media of die month: Td like to think that ev^eryone has some 
kind of music that tliey like. Something that reached them, or tliat 
reminds diem of some period of lime. Well, growing up in New 
York certainly left a music’al stamp on me. I just finished ‘'No Wave" 
by Marc Masters, and I just loved every second of it. I remember 
the NY scene around that time, but was certainiy too young to fuOy 
appreciate it. I don’t expect everyone to fully enjoy or ‘gef No 
Wave. IM sranetimes, the best way to enjoy music is by reading 
about it. So think of the music tliat inspires you and find the 
reading material that points our its inspiration. Tlianks to Bruce 
Gerson for inspiring die topic this mondi. 

Next montJi, well expand on some of the concepts cwened 
here and dig deeper into the well tliat Pvdion hits to offer. 

iW I 



About The Author 

£d Marczak is the [jcezutive £ditor &f MacTech 
Magazine. He Bias written for MacTedt soKe 2004. 



inline \X-'eb -3''5!opmf=>pt : 

Graphic Design 
Web Development Services 
E-Commerce Solutions 
Hosted Website Packages 
Unique Web Templates 

http://www.phpfaber.com 

e-mail: master@phpfaber.com 


W/V 

L ^ 

me we 

b 



Casper Suite 

A complete, best of breed 
client management 
platform that automates the 
most common IT functions. 


Imaging Suite 

The new imaging standard 
for the management and 
depioyment of images. 


Recon Suite 

Web based, cross piatform 
inventory solution. 

r 


Composer 

Simple snapshot and drag 
& drop package creation. 


Contact us today to learn more. 

www.ManageMyMacs.com 


At JAMF Software, we make the tools you need 
to manage your growing Mac network. No other ^ 
company offers such a comprehensive toolset 
with the expertise to back it up. 

















In Adrninistrators, part 2 

Running administrative scripts at login 
and logout, and more 


By Greg Neagle, MacEnterprise.org 



MacEnterprise.org 

Mac OS X enterprise deployment project 


Introduction 

In an earlier issue of MacTech, we started a look at scripting 
opportunities for systems administrators. We Kilked about why 
you might want to run a script, when it's possible and advisable 
to run scripts for certain tasks, and tx^gan to look at exactly how 
you get your scripts to run at the right time. 

Previously^ we discussed running scripts at startup and on a 
repeating schedule. Tliis montlij well look at running scripts as 
part of the login and logout process, Ixjtli with rcx>t privileges^ 
and as the user logging in. We'll also consider sciipts that should 
am only once, either at .startup or login. Finally, well Icxik at 
some methods to .simplify implementing additional scripts once 
you have a few working. 

Login/Logout hooks 

A very common administrative need is to nin a schpt (or 
.scripts) when a user logs in or when a u.ser logs out. One 
po.ssible reason to do this is that you need to make a change to 
tlie user’s environment: maybe you need to redirect a network 
user’s caches to the local disk before they complete their login, 
or you need to do some cleanup on logout. 

If you need to run a script at each user login, and the script 
must have superuser (root) privileges, you should consider 
implementing a login hook. A lt>gin hook is a script that runs as 
part of tlie login process. It runs after the user’s home directory 
has lx?en mounted (if it's a network user or one whose home 
directory has been protected witli FileVauIt). It runs as root, but 
is passed the name of the user who is logging in. 

To set up a login liookj make sure your script is executable: 

fliido chniod 755 /path/to/script 

Tlien set the loginhook: 

siida defaults write com.apple^loglnwlndow LoglnHook 
/path/to/script 
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Log out and hack in, and the hook should run. Logout 
hooks are set up similarly: 

sudo defaults write com,apple-loginwindow LogoutHook 
/path/to/script 

Here's an example of a script that could lie used as a logout 
hook. On logout, it randomly selects a pioure to use as the 
desktop picture/l:)aekground Ixidiind die loginwindow. 

/usr/Mn/perl -w 
use strict: 

my $loglTivindowprefs = 

""/Libraty/Preferences/com. apple, loginwindow"; 
my $picdir = ‘"/Lihrary/Desktop Pictures/Nature": 

if ( -d "$picdir'') | 

my Slist = split (*■ \n"'Is -1 *'$picdir"'’): 
my ©pictures = (1: 

for my $item (©list) I 

If C-f “$plcdlr/$lteto") 1 

push ©pictures, ""$plcdlr/$item"; 

J 

I 

if (scalar(©pictures]} I 

my $currentpicture = "/usr/bin/defaults read 
$loginwindowprefs DesktopPicture': 

if C$currentpicttire) ( chomp (Scurrentpicture) ] ; 
my $randomplcture = $eurrentpicture: 

while ($randompicture eq Scurrentpicture] I 

my Srandomindex " int(rand(scalar(©pictures))): 
$randompictiire “ ^pictures [$randDiiiindexi : 

) 

my $result = '/usr/bin/defaults write 
SloginwindovpTefs DesktopPicture '*$randompicture''' ; 

1 
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MCX login scripts 

There js another way to specify a specific script to run at 
login or logout, and that is using MCX via Workgroup 
Manager (Figue 1, above). 

Using MCX to manage login scripts requires very specific 
client settings and can be tricky to get right. Make sure to read 
the relevant help information, accessible by clicking the 
purple question imrk in Workgroup Manager 

Other login options 

Login hooks nin as die root user There are tasks tliat 
require running as the user logging in. For diesej you have a 
few optioas: 

Use a login liook, but within tlie hook, act as the user 
with the su command, This c^an te tricky to get right. 

Implement it as a launchd l^unchAgent. 

Write your script as a launchable application and add it 
the login items. 


Each tinie a user logs out, the picture behind the 
loginwindow is changed. Since this scripl ains during logout, but 
before the loginwindow is displayed, you should see a new 
picture at eacli logout. 

Apple’s Knowledge Base article on setting up a login hook 
is here: http://support.app1e.com/kb/KT2420 


LaunchAgents 

LaunchAgents had .some preny seriou.s shortcomings in 
Figer, but in Leopard, tliey arc pretty useful 

A LaunchAgent is started when a user logs in, and runs as 
that user. As the systejii administrator, you should put 
LauncliAgeni plists in /Library/LaunchAgents. 
/System/Library/LaunchAgents is reserved for use by 
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Appkj and '^/Library/LaunchAgents Ls for the users 
personal use. 

Let's say you wanted to run a script at user login tliat would 
launch a setup assistani-type application - a LaunchAgent would 
be a gcx)d fit for this. Here's an example plist: 

<?xml version-''! . 0" EEcoding-"UTF-8” ? > 

<[D0GT¥PE plist PUBLIC "-//Apple//DTD PLIST 1.0//Er 
"httpt//www.apple,oom/DTDs/PropertyList-1,0.dtd"> 

<plist versicin=”l .0“'> 

(diet) 

<key>Label</key> 

<string>org.mactech.demolaurLchagent</string> 

<key>LimitLoadToSessionType</key> 

<string>Aqua</string) 

> P r 0 gr aiii< / k ey ) 

<strlng>/Library/Hanageiiient/runSetupAssi3taiit *pl</string) 
<key>RunAtLoad</key) 

<trne/) 

</dict> 

</pIist) 

This HtuncliAgent plist has a unique label, which is simply 
a name for the task. A new key introduced in 10.5 Leopard is 
LimitLoadToSessionTypej and here it is set to Aqua, This 
tells iaunchd to load the joli only when there is a GUT login “ if 
the user were to login via SSH, for example, the job would not 
run, Tiiis makes sense for this, as we wouldn't want our GUI 
setup assistant application to nm if the user wasn’t logging into 
the GUI console, If you had a job that tnade sense to mn only 
for a non-GUI login, you would set the value of 
LimitLoadToSessionType to Standard 10. Finally, the 
RunAtLoad key is set to true to tell Iaunchd to nm the script 
imjiiediatcly wlien loading the job after login. 

For more informa[it>n about Launch Agents and their 
options, see this Apple Technical Note; 
hi [ [1 ://develc >per. a pple. co m/technotes/tn 2(X)5/ln2083. html 

kist time I promised tfiat Fd cover scripts that should run 
only once, A classic case is a script that launches a setup 
assistant. You might want it to launch the assistant the first time 
a user logs in, but you prc^bably don't want it to launch every 
Lime the user logs in. Mere’s how^ you miglil handle this: 

#I/usr/bin/perl 

f/run the Setup Assistant if it's never run before 
Shoinedir - $EM('H0MEU; 

ScheckFlle “ '■$horaedir/.my. org. setupasslstant''; 

unless (-f "ScheckFile") ( 

'touch $checkFile'; 

'open ”/Applicatlons/Utilities/Hy Org Setup 
Assistant.app”"; 


Here’s what’s happening. We define a filename - 
'fmy.org.setupassistant”. We start tlie name with a pericxl so it is 
invisible in the Finder. The script checks for ilie existence of the 
file in tlie root of the current users liome directory^. If it's not 
present, the script creates tlie file and opens the Setup Assistant. 
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The next time the script ruas for this user, the flJe will exist, and 
the script will exit without opening tlie Setup Assistant. 

You can use this same basic teclinique for any script you 
want to run just once - the script actually mas at each 
startup/login/etc, but exits without doing anything if a certain file 
exists. In niy opinion, this is a better approach than a script rliat 
removes itself after it runs because you can easily re-run the 
script in the future simply by removing its “flag” file. 

Login items 

There is another type of item that mns at user login. It's 
usually refeaed to as a login item, though an enrlier version of 
Mac OS X confusingly called tliese “startup items” Users can add 
their own login items, either from the Accounts pane of tlie 
System Preferences application, or by right-clicking or controh 
clicking on an item in the Dock and choosing Open at Login 
from the contextual menu that appears. 


Remove from Dock 


Open at Login 


Show in Finder 
Open 


Figure 2. Setting an item to open at login 


What a system administrator needs, though, is a way to 
sf)ecify diar certain items open for all users of a given machine. 
Tltere are two w'ays to do this. The first, if you are using MCX, is 
to add die items to the managed login preferences using 
Workgroup Manager. Tlie second is to add the items to die file 
at /Library/Preferences/loginwindow,plist; 

> defaults read /Library/PrefGrencE2/lDgini»ri.ndov 
Aut oLa un chedAp p 1 i c at 1 onD i c 11 an a ry 
( 


Hide = 1; 

Path “ '‘/Library/ Man a game nt/LoginLatincher.app'": 

I 

) 
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Applications added here are launched for all users of a 
given machine at login, in addition to wlutever items a user may 
have added to tlieir o^\ti list of login items. Note that the name 
of the key is AutoLaunchedApplicationDictionary - 
you have to add applications here, and not scripts - even if they 
are set as executable. In order to use this medianism to xun 
scripts, you need to either wrap your scTipt into an application 
bundle, or write an app whose purpose is to run your scripts. 
Fortunately fve done that work for you. A link to such an 
application can be found in the next section of this article. 
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Running multiple scripts 

A major problem wldi login/logout hoolcs ls that there is 
support for only a single login/logout scTipt. This can a 
problem if you need to implement more than one script. A 
solution to this problem is to implement master login/logout 
hooks, which in turn run additional scripts within a given 
directory. Here’s a sample master login hook; 

#1/bin/sh 

Master login book script 

# runs each script found in the login hooks directory 

LOGINHOOKSDIR-"/etc/hooks/login" 

if [ -d $[L0GIMH00KSDIR! ]; then 

for script in SlLOGINHOOKSDIRI/^ : do 

if [ -s $ I script I -a -k $[scripti ]: then 
// log this cun 

logger -s -t LoginHook 'p user,info Executing 
$ I script},.. 1>&2 

// run the item. 

$ I script] $* 

/f if there was an error, log it 
cc^5? 

If [ $rc -ne 0 ]; then 

logger -a -t LoginHook -p user,info 
$}script! failed with return code $ IrcI i>h2 
exit $rc 
fi 
fi 

done 

fl 

exit 0 




Break you 
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Hiis master hook loops tlirough all the items in the 
/etc/liooks/login director)^, checks to see if each item is non¬ 
zero-length and executable, and if' so, writes a message to die 
system log announcing it’s running the item, and dien runs die 
item, passing along any command-line parameters that were sent 
tc} the master hcx)k. A similar script could be used to run mukiple 
logout htx)ks. 

In fad, this technique is useful in otlier scaipting situations. 
If you create a launchd plist to run a specific script at startup, and 
later you want to mn another script as well, you’d have to create 
another launchd plist for the .second script. This cjuickly gets 
tedious and error-pione. If, instead, you created a script like the 
master loginhook that ran all the scripts in a certain directory, and 
created a launchd plist to run that script, dien to am additional 
scripts, you’d only have to put them in tlie special directory. This 
enables you to do the hard work once and then add or subtract 
scripts as needed. 

Another variation of tliis technique c^in lie used to am 
scripts at login as tlic riser who Ls logging in. You can get details 
on doing this at the MacEnteqirise.org site: 

http ;//www, macenterprise.org/articles/ runningitemsatlogin 

Conclusion, and More info 

That concludes our look at scripting opportunities. You 
should now^ have a better idea how you can get your .scripts to 
run at the proper time and in the proper context. Below^, Fve 
listed a few more places to get more info on some of the topics 
we’ve discussed. Good luck! 

More options for running code at login, and 
a discussion of the pros and cons of each: 

http;//developer applexom/technotes/tn2008/tn2228.html 

launchd, LaunchDaemons, and 
LaunchAgents: 

http://developer app!e,com/technotes/tn2005/tn2083.html 
http://developer.apple.com/documentation/MacOSX/Conceptu 
al/BPSystemStartup/Artictes/LaunchOnDemandDoemons.html 

Login items, login/logout hooks, 
and LaunchAgents: 

http://developer.apple.com/documentation/MacOSX/Conceptual 
/BPSystemStarkjp/ Articles/CustomLogin.htm! 

i\\ I 
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Introducing Microsoft 
Document Connection 


\ _ 

“SharePoint parity for Macs?,” or, “What users 



need to know about Microsoft’s newest 

coliaboration tooi.” 



by William Smith , 


Making working with 
SharePoint a little more 
seamless 

Windows in a Windows world,., 

Microsoft products for Windows are made to work 
togeih e r—se airde ssl y. 

Windows users can log tn to workstations with their 
Active Director>^ credentials and from that point forward they 
have seamless access to internal resources such as 
SharePoint, Microsoft’s workgroup collaboration server. When 
they open documents from SharePoint sites, they can edit and 
save them as if everything existed on their Desktops. No 
authentication ami no switching between applications. 

Life is good for Windows users in a Windows world. 

Macs in a Windows world,,. 

On the other hand, to be a Mac user in a Windows world 
can lie challenging at best or downright aggravating at worst. 
To edit a SharePoint document, a Mac user must log in to the 
site, check out and download a document, edit it, use a 
brow^ser to upload and check in the document and specify 
w'hether or not to save over the existing file. Tiiaps hardly the 
transparent and seamless experience that Windows users 
enjoy. 

Life is not seamless for Mac users in a Window'.s world. 

A new SharePoint client for Macs 

Microsoft’s Macintosh Business Unit (MacBU) has 
introduced a new^ application in Service Pack 2 (SP2) for 
Office 2008 for Mac called Micnmft Doctiment ConnectiotL 
Documeni Connection was first introduced as the Microsoft 
Office Document Colkihoratfon Companion at Macworld 
2009 and has since then undergone a name change and 
interface update during its private beta this past spring. 


Document Connection offers Mac users a “more 
seamless” experience with SharePoint 2003 and 2007 sites as 
w^ell as with Office Live Workspace, which means this tool 
isn’t just for the enterprise but for school and home users of 
Office for Mac too. It is installed with the free Office 2008 for 
Mac SP2 update and is not available separately. 

Why is “more seamless” in quotes? Aldiough Document 
Connection does make working with SharePoint and Office 
Live Workspace easier, it’s still a separate application that 
must be running to facilitate interaction with die servers. 
Compared to the old way of working with SharePoint, 
diough, this is of little conset|uence and shouldn’t discourage 
anyone from using it. 

Using the Document Connection 

The Creative Agency 

Let’s examine the features and details of Document 
Connection by putting it into use in a fictional group called 
the Creative Agency. The Creative Agency is the name for a 
team of designers, artists, production workers, copywriters 
and traffickers wxirking within the Marketing department for 
a large enterprise. 

This group of about 20 Mac users lives in a 
predominantly W’indow^s environment. They not only provide 
creative content for marketing promotions and advertising 
campaigns, but they provide in-house services such as 
preparing presentations for Sales and Executives. 

The Creative Agency has been instructed to handle most 
of their projects using SharePomt so that other departments 
can submit w^ork and track progress. This has been painful 
for the Mac users since using SharePoint has been a very 
manual process for a lot of work. They have been working 


26 JULY • 2009 


WWW, MACTECH.COM 




with SharePoint using Safari and Firefox on their G5s, The 
budget for new Intel Mac Pro workstations, w'hich would 
allow them to at least access SliarePoint in virtual Windows 
machines, keeps getting delayed. 

Setting up Document Connection 

Marty is a production artist within the Creative Agency, 
His role is to merge design layouts, art and copy into various 
electronic formats and make them ready for proofing or 
press. He and the rest of the group have been given an 
overview of the new Document Connection application in a 
one-hour staff meeting and now he’s ready to set up his 
workspace and begin using the solt%vare, which was installed 
over the weekend. 

He locates the Microsoft Document 

Connection.app application within the Microsoft 
Office 2008 folder in his Applications folder and 
double-clicks to open it, 
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Figure 1. Document Connection window 
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Figure 2. Add Location for SKarePoint 

The Creative Agency site is set up in SharePoint to act as a 
portal to some sub-sites—Art, CopywTiting, Design, Production 
and Traffic, Therefore it contains no document folders or lists 
on the main site. When Marty compares what he sees in 
Document Connection to tlie SharePoint site, he finds diat a 
folder represents each sub-site. 
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Without connecting to a SharePomt site or an Office Live 
Workspace site, Marty can do very little other than browse a 
few menus. Using the Add Location button, he enters the 
same URL into Document Connection that he would use to 
connect to the Creative Agency SharePoint site. He has three 
options to authenticate to his SharePoint ser\^erj Basic, 
Kerberos and NTLMvZ. He chooses Kerberos from the 
Authentication drop-down menu because his Mac is bound to 
Active Directory and he can take advantage of single sign-on. 
Once hogged in to his Mac, he will not have to continue 
entering his login credentials to connect to his SharePoint 
sites. 

For the curious Sys Admins' Document Connection stores 
its data in -/Library/Microsoft/Office 2008/. Images and files 
are cached to '‘Document Connection.mdccache'', a package- 
style folder that mirrors the SharePoint site folder hierarchy. 
Connection data, such as server addresses and Me metadata, 
is stored in a ""DocumentConneciion.xmr file. Because this is 
not a .plist file, Document Connection cannot be managed 
using Managed Client for Mac OS X preferences (MCX). 


Figure 3. Creative Agency SharePoint site 
in a web browser 
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Figure 4. Creative Agency SharePoint site 
in Document Connection 
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Document Connectr 


Just like the SharePoint site, Marty can start at the top 
level of the Creative Agency website, represented in the 
source list at the left of Document Connection, and begin 
drilling down into sub-sites, document libraries and folders 
to find what he needs. (The "^users'' icon on a folder denotes 
a sub-site, the "document” icon on a folder denotes a 
document library and folders are plain folders) Me will, 
however, liave a frequent need to access some time sheet 
forms that are buried a couple of folders deep. These time 
sheets are being modified and updated all the lime with new 
billing codes, so keeping copies of them on his Desktop 
isn't praciicaL Instead, he can navigate to the Time 
Sheets folder in the Production sub-site and drag these 
forms to his Favorites Files in the source list. 
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Figure 5- Favorite Files 


Marty has another SharePoint location dial he 
frequently accesses for style sheets. This is a folder of more 
than 200 template files and documents for formatting 
customer brochures and it is located under the Design sub¬ 
site of the Creative Agency website. Dragging aJI of these 
documents to liis Favorite Files area would not be practical. 
Instead, he navigates to the Style Sheets folder in Document 
Connection and drags it under the SHAREPOINT header in 
the left-hand source list. This area, similar to the Favorite 
Files area, can be used forJmvrileJblders as well ns favorite 
sites. While he's at it, Marty goes ahead and adds a few more 
favorite folders to the SHAREPOINT sites list. 
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Figure 6. Favorite sites and folders 


What Document Connection 
can and cannot do 

Before going any funhef, let’s talk ab(TUt what Document 
Connection can and cannot do. 

SharePoint offers many features such as file storage, 
calendars, discussions lists, task management and surveys. 
DcKument Connection i.s strictly for managing files. That 
includes dcKUments and image files, It cannot connect to, read 
nor manipulate calendars, blogs, wikis and other site items that 
you can see tlirough SharePoint in a w^^b browser. Files only, 

Document Connection also cannot create, edit nor delete 
document or image libraries. Instead, it can only interact with 
the contents of existing libraries. Again, files only. 

Think of Document Connection as a SharePoint file 
browser. It is actually akin to a Window^s-only SharePoint menu 
item called Explorer View, wiiicli provides navigation via a 
simple folder hierarchy and enables quick file uploads and 
downloads, While Document Connection does not offer a tree 
list view, it does offer a simpler view of shared libraries and 
folders that can be traversed using keyboard commands or the 
mouse. 

Starting work 

Now that Marly has set up his SharePoint connection and 
added some favorites Ibr quick access to freciuently visited 
areas, he's ready to start working. He has received instruction.s 
lor a smiple job to update a kjgo in a customer brochure. 

First, he reviews the style sheet for the job. Style sheets are 
simple Micro.soft Word documents containing font lists, logo 
placement instructions, approved colors and examples of 
acceptable style. The Design team maintains these style sheets 
whereas Marty is part of the Production team. He has read-only 
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access to their files. Therefore, Marty selects the st>1e sheet and 
clicks the Read button in the menu bar. Doainient Connection 
downloads the document to a temporary location on Marty's 
computer and opens the file in Microsoft Word. The file icon in 
Document Connection indicates the document is open for 
“Reading”. 
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Figure 7, A file open for Reading 

Alter viewing the doc'umeni and simply closing the file. 
Document Connection automatically updates its status to reflect 
no activity, 

Nextj Marty needs to find a black & white logo for the 
brochure he's updating. Since he often has to modify^ logos he 
has added the Logos folder to his SHARE POINT locations. He 
doesn't find a black ^ white version of tlie logo he needs but 
he does find a color file that he can cjuickly convert in 
Photoshop, This rime, instead of double-clicking the file in 
Document Connection, he right-clicks the file and selects Save 
As,„ from the contextual menu. 
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Figure 8. Save As... contextual menu 


Marty could also drag the file to his Desktop or to a folder 
in the Finder, In this case, since his “Work in Progress” folder 
for this project wasn't in view, he decided to use the Save As.» 
command to open a dialog window where he could navigate 
through his local folders. 

Later, the new black & white logo is ready and Marty needs 
to place the image into an existing QuarkXPress document. 
That document is also located on SharePoint in the c'ustomer's 
folder. When he locates the Xl^ress document, he simply 
double-clicks the file, which downloads the XPress doaiment 
from the server and opens it in QuarkXPress. This time 
Document Connection displays the status of the file as “Editing”, 
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Figure 9. A file open for Editing 


About editing file^ 

By allowing Document Connection to download a file for 
editing. youVe also allowing it to handle the upload as well. 
This is where Document Connection shines. Document 
Connection will not only download a file but it will also open 
the file in your default application. Tltis is sometliing that Safari 
with .SharePoint will no longer do automatically for security 
reasons, Abo, uploading can be as easy a.s simply saving the 
document, clicking the Upload button in Document Connection 
or quitting the editing application. 

Different documents will behave in different ways, though. 
Doaiment Connection is part of the Office 2008 for Mac SP2 
update and Excel, PowerPoint and Word have themselves been 
upckited to work with it. 11iey are Documefit Connection 
awan\ These three applications will provide the most seamless 
user experience because they can signal DuaimeTit Connection 
when you make changes and save a file. - 

WMe a doaiment is open in any of these three Microsoft 
Office applications and when the Save button is clicked, the 
application will signal to Document Connection to upload 
change.s to die SharePoint server immediately. Document 
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Connection will indicate that it is uploading the file below the 
file name. 
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Figure 10. A file Uploading to SharePoint 


Non-Office applications will require some additional effort 
to keep document updates on the server. The QuarkXPress 
document that Marty selected earlier through Document 
Connection will still open in QuarkXPress and Document 
Connection will reflect that the file is being edited. However, 
updating the server with changes in tlie document will require 
two steps instead of just one. 

Wlien changes to a non-Office document have been saved 
using the Save command, diose changes are stored in the 
locally cached version of the document. The user must do one 
of two things to upkiad those changes to the ser\^er. He can 
return to Dcxrument Connection and click the Upload button to 
force an upload where he will have the choice to Upload 
Changes or Upload File. Upload Changes will keep the file 
open for further editing whereas Upload File will upload the 
changes and cancel the editing suitus in Document Connection, 
[f the file is still open when Upload File has been selected, it 
will remain open but no Rmher change.s can be uploaded 
through Document Connection. Further changes will have to he 
made Ux:ally, saved to a new dcxjument and then uploaded via 
SharePoint or through Document Connection manually 

Document Connection is aware of the applications it has 
launched. Therefore, if a file is open for editing and then the 
application is quit, Document Connection is smart enough to 
automatically upload the latest saved changes to the SharePoint 
serv'er. 

Another SharePoint feature tliat Document Connection can 
utilize is Check Out and Check In. A file opened from 
Document Connection is automatically locked while it is being 
edited to prevent sc^meone else frcm editing the same 
dcx:ument at tfie same time. This Ls a short-term lock Users can 
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click the Check Out button when they want to put a long-term 
lock on a file. This is ideal for fiies that need extensive editing 
and may be in progress for several liours or several days. 

Changes to documents will be saved locally to the machine 
until the user clicks the Check In button. During the Check In 
process Document Connection will prompt the user to enter 
comments about tlie changes to the document, which is similar 
to the behavior of checking in a document through .SharePoint. 


Other users wHl not see your changes until you check In the file 
ACME bnochure - Hamrnon Press.qxd, 

Comments 

fihe ACMEhas bieh re^ied accotiHi >9 to tne new style ansets 
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Figure 11. Comments during Check In 


If the SliarePoint owner has modified the View for that 
panicular folder to display tlie Check In Comment column, 
then other users can see the comments uploaded through 
Document Connection. 
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Figure 12. SharePoint with Check In Comment column 


With changes made to the document and a PDF proof 
uploaded to the SharePoint site, Marty finishes with a little trick 
he learned in his training. He selecLs the PDF in Document 
Connection and selects Copy from the Edit menu or just types 
Command + C, In his E-mail message to the Customer Service 
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representative for this account, he now selects Paste from the 
Edit menu or just types Command + V. This pastes the full URL 
to the document into his message. To view the proof, his 
recipient just clicks on the hyperlink Marty has created for her. 

Navigation 

After a while, Marry has become familiar with Document 
Connection's capabilities and its limitations and he's 
comfortable using it in his production environment. Now, he 
wants to kick it up a notch. As a production artist, he’s very 
keyboard savvy and prefers to use the mouse as little as 
possible or take advantage of shoncuts and contextual menus. 
This affords him an extra speed boost, which can be critical 
during peak prcxluciion cycles. Dcxrument Connection lias 
several ways to navigate its interface. 

Using the Up * and Down 0 arrow keys, Marty can move 
up and down thnmgh the items in tlie file list on the right. 
Using Coimtiand + ^ and Command + 0, he can move up 
and down the folder hierarchy just like he can with the Finder. 

Between the toolbar at the top of the Document 
Connection window and the file list below is a navigation bar 
with a breadcrumb trail that shows Marry his Location within the 
SharePoint site at all times. Clicking anywhere within drat 
breadcrumb uail w^ill take liim direcdy to a folder or site. If he 
decides that he wants to add one of these breadcrumbs to his 
SHAREPOINT list for quicker access, all he has to do is drag it 
from die breadcrumb trail into the source list. 


Document Connection makes use of a couple of contextual 
menus too. Matty uses his Adobe Acrobat application to view 
most of his PDFs in SharePoint because he needs to either add 
hyperlinks or apply a password before sending out a document 
to a client. Sometimes, though^ Marty just wants to view the 
PDF and he finds that the Pre\iew^ application is much faster to 
load. He can right-click or Control-click ilie PDF in 
Document Connection, select either Edit With,., or Open Read- 
Only With... and then select Preview from the list of available 
options. 
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Figure 13. Breadcrumb trail in the navigation bar 


To the left of this breadcrumb trail are Forward and 
Backward buttons that are similar to those in die Finder and 
with similar keyboard commands. Using Command + ] or 
Command + [, Marty can navigate through his histor)^ of 
locations. This is akin to using the Forward and Backward 
arrow's in a web brow'ser too. 


Again, DcKument Connection is limited and Marty often 
.still needs to refer to the SharePoint wel:jsite in his web brotvser. 
The second contextual menu, w'hich Marty^ uses a lot, takes him 
directly to the site or folder he has selected under 
SHAREPOINT in the source list. He just needs to right- 
click or Control-click the site or folder and select Open 
in Browser.,, to oi>en his default brow^ser to that location. 
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Figure 15. Site and folder list contextual menu 
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The best shortcut that Marty has found, however, Ls the 
ability to upload or download multiple documents at once. His 
Window's counterparts have enjoyed being able to use the 
Explorer View menu item in SharePoint to copy many files to 
the server or to their Desktops and now he's Finally able to do 
this as well All Marty has to do is open a documents folder in 
Dcx:ument Connection and drag one or more fUes from his 
computer into the window to upload his files. He can download 
multiple files by dragging them from Document Connection 
window' to his computer. 
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Figure 16. Multiple simultaneous uploads 


A similar method applies if Marty wants to edit, check out 
or check in multiple files. To edit multiple files he can choose 
all of them in the Document Connection window and select 
Edit from the File menu. This is especially handy if he needs to 
make quick clianges to many files at once. Remember, if he\s 
iLsing an application ouLside of Office for Mac then he can edit 
and save but none of his changes will be uploaded until he 
either clicks the Upload button in Document Connection or 
quits his editing application. 

Quitting time 

So, by the end of tlie day, Marty's work is done. He's made 
his edits, uploaded his files and he's ready to go home. He starts 
quirting his applic'ations before shutting down his machine, but 
when he tries to quit Document Connection he receives a 
message telling him that he still has files open. 



Figure 17. Files open for editing 


Lfh oh, which files? Marty has worked in two-dozen 
folders all day and whatever is open could be anywhere on 
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the SharePoint server. For the hrst time, he notices the 
□rafts item in the source list on the left and selects it. Sure 
enough, he sees an image file that is part of a large group 
of files he was editing earlier. He had minimized it into his 
Dock and had forgotten about it. 
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Figure 18. Drafts 
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A quick double-click on tlie file in Document Connection 
restores the image file to view and Marty saves his work to 
the server. The second time he is able to quit Document 
Connection. 

What would have happened if Marty had quit 
Document Connection while the file was still open? One of 
its features is that it will preserve the status or file state 
between launches. If Marty had decided to wait until 
tomorrow morning to make the final edits then he could still 
click the Quit button and quit his editing application too. 
The next day he would he able to launch Document 
Connection, look in the orafts list and re-open his 
document. Document Connection would still upload his file 
just as if he liad opened it from the SharePoint server a few 
minutes earlier. 

What lies ahead? 

Send feedback 

The MacBU has released very little about its next 
version of Office for Mac after Office 2008, therefore public 
thoughts about future plans for Document Connection are 
just speculation. Will it continue to be an additional tool 
bundled with Office for Mac like Remote Desktop 
Connection and Messenger? Or will its functionality possibly 
be incorporated into a later version of the product like the 
Open XML File Converters for Office 2004? How seamless 
will MacBU make working with SharePoint in the future? 

As a first-generation SharePoint tool for the Mac, 
Document Connection has a lot of room for improvement. 
While it’s leaps and hounds beyond using the Level 2 
SharePoint web interface provided to Safari and Firefox 
clients, it .still needs picture previews, better integration with 
non-office applications and support for the additional 
information that we can only view in SharePoint itself. 

Life can be good for Mac users too in a Windows world. 
Most of Office for Mac’s applications have Send Feedback 
tool under the Help menu to send suggestions or make 
requests to the MacBU. Use it to help make Document 
Connection a better tool. MacBU will be all ears. 
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by Dave Dribin 


An Interview 
with Brad Cox 

The man behind Objective-C 


V 


Introduction 

Brad Cox is one of the co-creaiors of ilie Objective-C 
language, along with Tom U>ve. Objective-C waj? origmally 
designed as a Smalltalk-like Jibject system on top t)f the C 
language. NeXT staned using Objeeiive-C for its NeXTStep 
operating system and later, when Apple bought NeXT, it [>ecame 
tlie language du jour for writing Mac OS X and iPhone 
applications. Brad was nice enough 
to talk with me for an interview' w^ith 
MacTech. 

Dave Dribin: Please tell our 
retiders who you are and what your 
background is with the Objective-C 
language? 

Brad Cox: I worked witli the ITT 
research lab, many mcKJOs ago, now\ 

We w'ere interested in building 
coordination .systems to affect 
people's pniductivity, instead of the 
communication systems like email 
and chat and so fortli. What people 
today call groupware. I couldn’t see 
doing that in C and was casting 
around for higlierdevel approaches. 

When I learned about Smalltalk and 
object-oriented programming from 
the Byte article, I think in 1982, I 
realized 1 could do something pretty 
similar in C and tltat would be a 
l^etter basis to build on. 

Initial versions were the usual 
kind of lash up of sed und aw'k aU 
kind of uxils. That worked w'ell 

enough so that we evolved it eventually to something based on 
lex and yacc. And I believe you know' the rest. 

DD: So it was originally implemented as a preprocessor 
that generated C ctxle, or how did th^it work? 



Brad and Magnum 


BC: That’d be accurate of any implementation that I know^ 
of. It just makes sense to generate C. But it might generate 
assembly language these days. But, yes, all early versions w^ere 
certainly that w^ay and Vm not sure about later versions. 

DD: The square brackets are a distinctive part of Objective- 
C syntax. How' did tlie square brackets come about and was this 
your doing? 

BC: Yeah, tliat was me. Quite literally it was a search for 
sometliing diat wasn't taken. Curiy braces w^ere taken. 
Ordinary parentheses were taken. It was just a search for braces 
tliat wouldnl collide w'ith something C used. 

DD: What features did you want to add that you Md to cut 
due to maybe technical or time restrainLs? 

BC: Over the years there were a lot of them. What 
Smalltalk calls blocks was one of them. Garbage callection was 
another. And an interpretive language was a third. At various 
times, all of those were implemented in various forms, but none 
of them are a particularly good fit for a language like C. They 
required fairly heavy interference with how^ C did things, and we 
weren't happy with any of those. 

DD: We are actually getting this just today. As of Mac OS 
X 10.5, Apple gave us garbage collection. And as far as 10.6, 
the Snow' Leopard release, they are going to add blocks to 
Objective-C. So we're all very excited 
about that. TlieyVe even adding it to 
the C syntax, 

BC: Yeah, I’ve always been an 
enlhu-siast for Idocks, but getting 
access to the caller's stack frame Is 
really tricky to do. 

DD: In the static vs, dynamic 
iy]iing debate, Objective-C straddles 
lx)th camps with its dynamic runtime 
and static compiler. Was this a 
conscious decision or was it an 
implementation issue? 

BC: Well, a lot of that was added 
after my time. When I was directly 
involved, its goal w^as sijnply to add 
dynamic typing to Cs static typing. 
And tlie static typing you're referring 
to was largely added after my time. 

The idea was that Objective^] 
features w'ere to lx: a fairly lightw^eight 
kind of tool: a soldering gun not a 
silicon fab line. The things you'd use 
C tor, the statically typed stuff would 
lie w^ays of building tlie software ICs, 
And that’d be done in C. That was the 

idea at least. 

As it began to catch c^n, various extensions were made tliat 
culminated in the static typing you see today. 
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DD: 1 tliink the dynamic typing is one of Objective-C’s 
benefits, compared to languages like C++ and Java which are 
very statically typed. 

BC- rVe always thought of it as a difference between a 
soldering gun, which you use to assemble pre-existing 
components versus a silicon fab line, which is a far more 
technical and heavy weight kind of tool, which lias its place, but 
they're different tools. 

DD: So the dynamic typing makes it easier to connect 
things up? 

BC: Yes 

DD: So is the idea you that would bring everything together 
at runtime? 

BC: Not exactly. By writing an Objective-C program you'd 
send this message to that. Thafs what 1 mean by hooking them 
up. By writing the source code that says 1 w^ant to use a 
dictionary or map or whatever they call it in Objective-C these 
days. You’d describe that in source code and off it goes. 

DD: So Apple’s sold something like 30 million iPods and 
iPhones? How does it feel to have Objective-C running in the 
palm of so many people’s hands? 

BC: (laughs) Yeah, it’s pretty nice. 

DD: It seems tliat language design has been fairly stagnant. 
Java, C^, Python and Euby, are not ultimately that different from 
Objective-C of 20-25 years ago, The functional languages are 
coming a little more to the forefront tltese days, Do you have 
any idea what the next Big Thing for language design or features 
is going to be? 


BC: Weil everybody says functional languages. I’ve spent a 
while trying to get my head around them, and I just run into 
syntax issues. It’s like me and lisp: we never got along. 

DD: (laughs) 1 understand that completely, 

BC: I have the same trouble with Haskell 

DD: So you have done some work wMi Haskell? 

BC: Yes, uh huh. It's fairly exciting for DoD (Department 
of Defense) because the idea is that in a functional language, by 
writing tlie rules, you can pretty much write diem direcdy off of 
policy. That means you can prove them correct by comparing 
them against policy. And tliat’s very exciting stuff. Tve been 
involved in some projects that try to do exactly that. 
Unfortunately, not hands on so I never reached the point of any 
fluency in Haskell 

DD: Do you think the language choice affects the end 
quality of the software, or are all object-oriented programming 
languages essentially the same? 

BC; I think they're pretty much the same. Bearing in mind 
that distinction between soldering guns and silicon fab lines. 
That’s a big difference. 

DD: The fact that you have reusable components? 

BC: Wed silicon fab lines can reuse gate arrays, right. So 
die ability to reuse is not a fine distinction. The affect is mainly 
on the cost and how long it takes to do am^hing. 

DD: So from reading your website and looking at your 
published works such as Superdistribution, it seems your focus 
has changed to software components. Could you talk a bit more 
about your current interests? 
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BC: I wouldn't say tlie focus has been changed. Remember^ 
the reason I wrote Objective-C is that I needed a stildering gun. 
My interest was in components. I wanted office automation 
components that I could put together to build coordination 
systems. So the focu-s hasn't changed at all, 1 just needed to 
detour into languages to get there. 

DD: Do you want to give a quick overview of how^ you 
used software components since Objective-C? 

BC: Oh sure. I’ve been using an analogy recendy taken 
directly from tlie construction industry, m put this in die 
context of DoD and what the government is trying to do. 
Tliey're faced with the problem of massive scale. They have all 
of these different agencies, which I'll analogize to cities. And all 
the agencies want to use IT to imprfwe their productivity. So 
they’re building SOA services. SOA means Service Oriented 
Architectures. 

Now those are granule.s at a very large scale. They’re 
basically server-based applications that communicate largely 
through the HTTP protocol. So we have cities, actually in die 
government you have even larger things than cities, states and 
nations, but let’s stay with cities for now. And each city wants 
to build IT-liased systems based on diese SOA^based scaled 
objects. So that’s two levels of granularity right now that you can 
see directly in die real world that's now happening on a major 
scale in government and widiin industry. 

Coming at it from die {jdier end of the spectrum, we talked 
about these gate arrays .scrale component.s that are a very big 


deal in C-h- land. And we talked about software IC use which 
are more like Java classes. So there’s two more levels of 
integration at the low end of the spectrum. 

One of niy current interests is filling out the gaps between 
cities and Java classes which I think of as mud and sand. 
They're components, yes, but they’re very small granularity 
components compared to what you really want to be working 
with. You want somediing like bricks. Reu.sable componenLs 
diat, yes, are built of mud and sand, but diey’re much larger dian 
any Java class. 

Now a very good example of what I'm talking about when 
1 .say a brick is a Tomcat web server: a servlet container. It 
makes a pretty decent brick. Tlie only problem is that it’s a pile 
of jar fdes. And jar files offer very poor encapsulation compared 
to what you need to actually trust that this web server sdll 
functions properly once underlying jars start changing version 
numbers. 

DD: So you mean there’s no way to know that version X 
works, liut when you move up to X+1 tliat things haven’t 
broken? 

BC: Exacdy. Or that some hacker hasn’t inserted a vims, a 
big concern in DoD. Because what we want to get to is tmsted 
ccjmponents, and jar flies don’t suppon trust. For that reason 
which is fairly minor. Now there’s a new^ .standard coming on in 
Java land called OSGi w hich addresses this and that’s my current 
interest. It’s helping OSGi find it’s way into everyday practice 
and then addressing the issue of tmst, which involves a whole 
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bunch of non-technical stuff like getting it tlirough certification 
processes and onto trusted lists and diings of tliat nature. 

DD: Is that dealing with ccxle signing and certificate 
management and that kind of stufiP 

DC: It supports tliat but the usual case of OSGi is to wrap 
up a bundle, that’s the OSGi name for what I’m talking about. 
Wrap it up .so that it encloses some dependencies, and doesn't 
reference whatever you might drop into the classpath. You 
control what it can references when you create the bundle. 

DD: I don’t know if REST, CORBA, and SOAP fits in with 
components, as a coinmunication patli tetween components, 
but you mentioned using HTTP. Is tliat REST communication 
between these componenLs? 

BC: Weil tliat gets me into something that's a little more 
advanced than I planned to talk about. But one of the reasons 
tliat I’m interested in tliese brick scaie componenLs is that it's a 
very real problem in DoD. DoD doesn't use just one protocol. 
It uses hundreds of protocols. Every new generation of plane 
comes out with a new kind of communiaition devices diat 
doesn't interoperate with anything else. 

One of the most exciting kinds of brick is die transport 
protocol brick. One is Tomcat Ibr MTIP, anodier supports 
XMPP, and anodier one supports Link-16 a DoD Air Force 
protocol. And sti for and a) on for those hundreds of protocols. 

So, 1 call diose transport comptinents to distinguish them 
from transform components which get involved in things like 
sec-uring these protocols at the application level. So there's 


access control protocols like Sun's OpenSSO and there’s 
confidentiality things. The NSA has this whole variety of 
encryption algorithms that can be encapsulated as 
confidentiality^ bricks. And it just goes on from there. There’s a 
fairly long list of transpon componenLs that would end up being 
used in these systems. 

And notice that these bricks are related direcdy to that 
analogy of houses that 1 referred to earlier. Because one thing 
every house needs, and wouldn't it lie nice if they could use the 
same componenLs to get it, is interoperability and security, 
which is exactly what 1 just talked about. Transport 
mteropembility and compatible security. 

DD: You mentioned a detour through languages to reach 
your goal of software components. Wliat got you on that detour? 

BC: I just didn't think I could do it in C. 

DD: Could you have used Smalltalk direaty or were in an 
environment where C was the language you had to interoperate 
with? 

BC (.18:12): Xerox was busy shotiting tliemselves in the fa^t 
at the time. Tliey wouldn't sell it to me, or to anybody. The 
were into this 'We’re a reseeirch lab and tliat’s a research toy and 
go away ” 

DD: I've covered all my questions. Is there anything else 
you wanted to add? 

BC: Weil 1 could go on about components forever. Some of 
this can be easier to follow on my blog tlian in narrated fomi: 
http://bradjcox. biogspot.com/ 
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ril just wave the flag one more time for OSGi. I tlimk it'll 
be very important once everybody gets on board. It'll be a bit 
of a culture shock to get there because it's not an easy tool to 
use or to learn. But I encc^urage your readers to start trying 
because it'll be important. 

DD: Is this useful outside of DoD and government work? 

BC: Oh yes. I don’t believe it applies to Objective-C, yet, but 
it’s coming on strong in Java land, All of the major IDEs, such as 
Netbeans and Eclipse, are in the midst of a transition to OvSGi- 
based components. And as that matures and as the tfX)ls get 
better, it's going to start bleeding off into people's everyday 
work. It's a bit of a bleeding edge topic, although, OSGi Is very 
old. The standard itself goes back as far as Objective^. It’s 
been around for a long time, but it’s just now catching on big 
lime in Java-land and it'll probably spread from there, 

DD: Is it a replacement for jars, or does it work in 
conjunction with jars? 

BC: The latter 

DD: Extra metadata? 

BC: Exactly. A bundle is just a jar file some extra metadata 
that gets looked at when the bundle launches. So you can think 
of bundles as miniature SOA services that exist inside a IVM. 
And they have life cycles, so you can take your dictionary offline 
and everybody waits for it to come back. That's how you want 
it to happen. 

DD; So you can do online upgrades of components without 
taking the whole system down? 


BC: Exactly You can literally upgrade very fine-grained 
diings to a new version number, if the things are actually 
compatible at runtime, and nothing breaks. So tire way you 
typically use it is kunch a virtual madiine, launch OSGi inside tliat 
virtual machine, and let it just stay tliere indefinitely And upgrade 
it as you do software development. 

It takes a bit of getting used to. It's a different mental model 
than when you work with Java, when? you launch it and destroy 
it and launch it and destroy it. 

Conclusion 

rd like to thank Brad for taking the time to participate in dus 
interview. It's always great to hear from visionaries in our industry^ 
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Viany times when working with a group it is necessary and 
Telpful to conduct a brainstorming session. 

□sing a mind map is a great way to work with a group of 
people to identify critical project details^ develop ideas, 
mgage all project participants in the early stages of project 
levelopment, capture thoughts, and organize and share them 
n a visual format. 



Figure 1: Initial Brainstorm Session Mind Map 

With Concept Draw MIND MAP, the mind mapping and 
brainstorming software tool, teams are fully equipped with 
the ability to engage all project participants in the 
brainstorming process and communicate results in 
appropriate formats. 

Below are a few suggested guidelines for making the most of 
a brainstorming session: 

1. Ensure all project participants have access to view and 
participate in the brainstorming session using 
ConceptDraw MINDMAP, A projector connected to a 
computer in a conference room is a great idea! 

2. Delegate a facilitator to moderate the sessions, keep track 
of the time, and ensure the topics stay on track. The 
facilitator should be someone who understands the 
brainstorming process and has the ability to keep 
particpants on track, 

3. Avoid judging or nixing any ideas. The brainstorm session 
is a collective thought process that can be organized and 
filtered out later, 

4. While spelling and grammar are important in almost all 
project documents, avoid correcting any typos during 
brainstorming. Ail mistakes can be corrected once the 
session is over, 

CSO Corp, 29 Frantsuzskiy Blvd, 
Odessa, 65044 Ukraine 
Support line: +1(40694-3213 


5, It is good idea to break the brainstorming session into two 
parts. Designate a set time limit for each session. Time 
restrictions inspire creativity as it motivates par tic i pants to 
quickly generate new ideas. When the time is up, you will 
be alerted with a friendly Time is up! pop up window, 

• The default in ConceptDraw MINDMAP is set for 10 
minutes, which is a reasonable amount of time 
for most initial brainstorming sessions. The second 
session should be much shorter ( 2 minutes). 

• If after some time, there is a lack of contribution 
coming from the group, cut the session short. No 
need to look at one another with a blank stare! 

6, When the session is complete, click Finish Brainstorming, 
to organize ideas in Map mode. In this mode you can 
begin to organize ideas in a format that is appropriate for 
your team. Feel free to initiate more brainstorming 
sessions until the map is complete. 



Figure 2: Brainstorm Session Mind Map in Map Mode 

7* It is extremely important to share the brainstorming 
results to all project participants. Share the results 
by distributing a soft or hard copy of the mind map to all 
team members. Sending out results sooner than later is the 
best way to ensure everyone keeps all the amazing ideas 
fresh in their minds! 

With ConceptDraw MINDMAP your brainstorming sessions 
are not only productive, they are also the first big step in 
defining a project. 

For more information on ConceptDraw MINDMAP 
please visit: www.conceptdraw.coni 

CS Odessa LLC 1798 Technology Drive Suite 244 
Ban Jose CA 95111+1399 USA 
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Client Image Deployment and Maintenance - Part 1 


by Criss Myers 


Background to Image 
deployment 

We have previously looked at some different methods to 
image network Macs. In partiailar, Apple's [^etlnstall and 
NetBooting. These are great tools, but they rely upon a 
monolithic image. That is a single, very large image containing 
lire OS, updates, software, settings, etc. One of the many 
problems associated with this however is the deployment of 
various different setups within the network. Witli a single 
image, each Mac will be identical, which may lx? fine for some 
situations, but there are times when it is neLessary to deploy 
different image configurations to different groups of Macs. For 
example, deploying different applications to different groups of 
Macs. With a monolithic image the only way to achieve this is 
with multiple images, which leads to extra w^ork and resources 
as well as to inconsistencies between the images. There is also 
tile question of keeping the client machines updated and 
handling the insLillation of future software. With Netinstall. 
NetBooting and Bombichs NetRestore it would require a 
rebuild of ihe monolithic image and a reimage of the clients. 


Base Print Motion Video 



Fig 1, A monolithic approach to Mac image deployment 
each deployment contains the same common software 
however a separate image has to be created for each. 
(Image courtesy of JAMF Software) 


The Future, a different approach 

Today, there is an alternative approach to tills procedure, 
wliich is becoming more and more popular. Apple themselves 
seem to l>e tending towards a method, that revolves around a 
package-based system. Tliis means creating a very simple OS 
based image, with as few modifications and tweaks as possible, 
and then building on top of this with individual packages and 
scripts. Then different configurations can be made from the 
same list of source packages with the Base OS being constant 
between them. Free examples of this approach are InstaDMG 
and Deploy Studio. Both offer a package based configuration 
deployment method. A commercial option is also available 
from a company called JAMF Sotrvvare and is called The Casper 
Suite. 


Base Print Motion Video 



Fig 2, A package-based approach, a package is made for 
each piece of software and then different configurations 
are created around these common packages. (Image 
courtesy of JAMF Software) 


The Casper Suite 

Tlie Casper Suite is a suite of software application tools, 
togetlier witli a web interface to a MySQL database, tiiat offers 
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a package-based imaging system, In addition to imagingj the 
Casper Suite offers a way to maintain your clients after you have 
imaged them, this makes the Casper Suite stand out from ail 
other imaging systems, by giving system administrators the 
ability to maintain their clients. Other features that The Casper 
Suite offers are, inventory, remote control, license management 
and settings management. JAMF Softw^are offers a service that is 
second to none, their phone support as well as their email 
ticket support is fast and knowledgeable. They listen to tlieir 
customers and many of the new features hiat get introduced are 
though feature requests from their customers. 


Inventory 


Imaging 


Patch Software 

Mgmt Distribution 


Remote 

Settings 

License 

Centre!; 

Mgmf. 

Mgmt. 


Fig 3, the various services that the Casper Suite offers. 
(Image courtesy of JAIVIF Software) 


database witli a Tomcat servlet that acts centrally for all the 
Macs being managed. The clients connect to the JSS to gather 
their instructions. The JSS enables you to carry out automated 
tasks to simplify the management of your client Macs. Tlie JSS 
stores all the data relating to the clients and the deployment 
content, as well as management iastruciions. The deployment 
content itself is stored on what are called Distribution Points. 
The clients connect to the JSS by ssh and tlien to tlie 
Distribution Points via AFP or SMB. The diem initiates tlie 
connection rather than the server, therefore no data is 
broadcast. The client has a jamfxonf file which contains the 
details of the JSS. 

JSS Setup Utility 

This is the first thing to sertip when installing the JAMF 
software, the setup utility is used to install and configure the JSS 
as well as running updates and maintenance. 

Launch the JSS Setup Utility, connect to your servers DNS 
and lt]gin with your servers details. You can now install the JSS 
and setup the AFP Share. Click the install icon and choose the 
delhult option to setup the Distribution point, tills is the AFP 
share on the server where you store the packages and scripts. 
After the JSS is setup the web hrt>wser will be launched for you 
to register the software, enter the activation ctxie and then 
create the first account that can logon to the JSS, 

Once installed you can then configure the JSS, There are 5 
sections to the JSS, the main server details section, Database, 
Web Application, File Sharing and HTTP Downloads. 


Pull rather than Push 

Most deployment systems w^ork on a Push basis where the 
server or admin machine pushes out the image to all those that 
wish to accept it. This is also the case for Apple Remote 
Desktop / Task Server w^hich can be used to push out software 
packages to clients. What JAMF Software offers is a forced 'Pulf 
rather than Push’ system. Casper Suite uses a pull method 
where the client connects to the server and pulls the software 
off it. The client can be instructed via a small ssh connection to 
mount the file server and pull its software. As Casper supports 
multiple file servers in different locations, this method scales 
very well. The client can be contacted by ssh from a central 
server, but then mount a local file serv^^r from w hich to pull off 
tlie software. This naturally helps to optimize performance as 
w^cll as allow an administrator to initiate the process from any 
Mac OS X workstation. 

The Casper Suite is [nade tip of the following tools: 

JSS, JSS Setup Utility, Casper Netinsial! Creator, Composer, 
Casper Admin, Casper Imaging, Ca.sper Remote, Recon, 
CasperVNC, Casper Mobile and Self Service. 

JAMF Software Server - JSS 
(Tomcat + MYSQL) 

The JSS is the central core to the Casper Suite and ties all 
the other components together. It is essentially a MySQL 


0) Database 
0 Web Application 
0 File Sharing 
S HTTP Downloads 

Fig 4, The JSS Setup Utility, the 5 monitoring sections 
for each server. 

The server section gives you an oveiwiew of the server and 
starus of the ser\tices. IF there is an update available you can 
install it via the Update pane. Under Automated Maintenance 
you can setup automated backups, monitor seivices or restart 
services when needed, as well as log deletitin and distribution 
point replic.'ation. 

The Distribution Point is the File Share from which you 
deploy your OS, Packages and Scripts. You can have as many 
as you need, the more distribution points you have on different 
.servers then the belter load balancing you get. You can also 
have k)cal distribution points for larger organizations. You will, 
however, need io synchronize iliese, and this is done in the JSS 
Setup Utility via rsync. Your Di.stribution point can be an AFP 
oj' SMB share, .so it can run from a windows .server as well. 
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JSS^i^r Cannpoin«n» Overview 

Operiting System: Mac OS X Server lO.S.S (9F33} 
Tonncif Version: Apache Tomcat/6.0.18 
MySQL Version: S-0.67 


Tomcat Status: a ftunniTig 
MySQL Status: 9 Running 
AfP Status; ® Running 
HTTP Downloads Status: • Running 

JSS frtstalied Component Venjoni 

Database Schema Version 6.0 
Web Application Version: 6.01 

The rdstaMcd corrtponentt are up to date. 


f Overview Logs Update Automated MAirtierianee 


Fig 5, The JSS Setup Utility main monitoring section 
showing the installed versions and current updates 
available. 

The Database section is used to verify and repair your 
MySQL database and tables in its Troubleshooting section. Here 
you can also set tiie Max Packet Size, by increasing the packet 
size, you can capture more data wlien inventorying the 
computers. Tlie more data you gather about the coniputers, the 
larger the size c^f the data being transmitted, II this is too large, 
submission of the inventory will fail. 

My5Q1- Service Overview 

Long MySQL Version; rnys^jl Var 14.12 Dlstrlb S-P.67, appl«-d&rwing.D 
Hp^iwerpc) using EdltLIne wrapper 

DaUibaseSi»: SlSM 
Mik Packet Size: S MB 
Cu rr*nt Con nuctlon s 10 

Fig 6, The JSS Setup Utility Database section. 


j Current Setting; 8.00 MB (8388608) 

^ ^ -- r 

Change Value To: S.OO MB (8388608) i 

0 Make Change Permanent 

I 

^ Cancel ^ ( OK —-) ^ 

Fig 7, The JSS Setup Utility; changing the Max Packet Size 
for the MYSQL 


The Backup/Restore tab allows you either to create a 
backup for migration to another server^ or to restore the server 
from an automated backup. Migrating the JSS is relatively easy, 
just backup the database and then restore that database on tlie 
migrated server. 

The Web Application section allows you to edit the 
memory settings for Tomcat, as well as taking advantage of a 
server^s 64-bit mode, 


tomcar Seltliigts 

Minimum Memory; 256 M8 

------^ 

Miutimuin Wtmorv 8192 MB 

E?! Start Tomcat In 64-bll rnodo 

f~ Ui>dat 7 ~ ) 


Fig 8, The JSS Setup Utility Web Application section, you 
can set the memory as well as use the 84-bit mode. 

Once the JSS is setup and configured and all ports have 
been added to the seivers firewall (ports 22, 8443, 5B4, 80, 443 
and possibly, 9^)06, 389, 5999, 139, 445, 25 and 514), the next 
thing is to access the w^eb interface. 

Ihe web interface is accessed either by http or Imps at 
your servers DNS address with ports 9006 oi- 8443 respectively. 
Login with the first JSS account you set up. 

The Web is divided into the following four sections, 
Inventory, Management, Logs and Admin. Depending on the 
accounts privileges, you will either see all sections, or tho.se that 
you have access to. 

The Inventory section is where you will access the records 
that were gathered when inventorying your computers; here 
you can also edit those records as well as accessing logs for 
each computer 

The logs section allows you to view die various Casper 
activities logs as well as receipts logs (see Figure 9 below). 

The Admin section is where you can setup the various 
preferences and settings for Casper. Here you setup the 
accounts that can use the Casper tools as well as their user 
privileges and what notifications are sent tc5 that user. Casper 
keeps a full record of all changes dial are made by the users. 
You can also join Casper to your existing Directory database 
(see Figure 10 below). - 

The Management section is the key section w^here you 
setup the various w^ays that Casper can manage your Macs (see 
Figure 11 on die following page). 

The main configuration options to focus on at first are: 
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license management and any other typographic request. 
Call us at (800) 424-8973 for a free evaluation. 
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Admin Section 

Setup a few accounts that can use the Casper Software- 
Give them custom privileges and notifications. (Admin - 
Accounts) 

Join Casper to your existing Directory service if you wish 
to take advantage of existing users and groups. (Admin - LDAP 
Servers) 

Setup your Inventor^^ options; tliis is what information is 
gathered from each computer, such as Liardware, local users, 
mapped printers, Unix commands, running services, fonts, 
plugins etc. Do not try and gather much information at first, 
before you have decided what infomiation is useful (Admin “ 
Inventory Options - Inventory Preferences) 

You can setup different Buildings / Departments and 
Network Segments to help you to divide your inventory up into 
smaller manageable groups. (Admin - Buildings / Departments 
/ Network Segments). 

Next setup some general jSS settings, the Activation Code, 
SMTP settings and the change management to log all users 
changes. (Admin - General Settings) 


Management Section 

Next you can setup the management preferences. Here you 
can choose whether to use startup scripts, login hooks as well 
as enabling load balancing. (Management - Management 
Preferences) 

Setup any Active Directory bindings that you w'ant 
automating during imaging. (Management - Active Directory 
Bindings) 

Edit rtie distribution points; turn off the HTTP section if 
you do not wish to use it, as tliis will cause problems installing 
PKG's. lliere is a current bug in the system thai turns on the 
HTTP for Distribution Points every time you use the JSS Setup 
Utility. (Management - Distribution Points) 

Casper Netinstall Creator 

The last thing to do on the server side is setup the NetBooi 
deployment- Casper utilises the Netinstall capabilities of the 
Mac OS X Server to enable network deployment. You will need 
to create a Netinstall image and activate it on your server. 


AcfEwity Logs 


L Casper fiemote Logs 

''H Logs Qf activities pertormed with Casper Remate 
A Poficv Logs 

H Logs of actlvJTles performed by Poilcies 


A 


Casper Imaging Logs 

Logs from Imaging of computers using Camper Imaging 
VMC Logs 

Logs from connections uiEog Caipafc^V^JC 


Self Healing Logs 

Logs from packages that have Seif Staling enabled 


X CQinpdier usage Logs 

Logs of Login. Logout and Startup events 


Acttylty ijgP] 


Receipts 

MtL Packages Instalied By Casper/Policy 

Packages that nave been imtailed usirig The Casper Suite 

Cached packages 

Packages that have been cached by The Casper S,uite 

^|i Packages Installed by installer.apip/SWU 

Packages that have been Insialled by Insialler.app or Software Update 

Aval I able Software Updates 

/ Sofiware Updates that are currently available on computers 

O Scheduled Tasks 

Scheduleci Tasks that were created by The Casper Suite 

X Local User Accouints 
X X User Accounts on managed computers 


Mapped Printers 

Printers mapped on managed computers 




Running Services 

Running Services on Managed Computers 


Fig 9, Web interface to the JSS and the Logs section. 

JSS Accounts 

JSS Service 

f Accounts 

Manage accounts (hat have access to the JSS 

-‘I General Settings 

H Change yfour Activation Code and SMTP Server 

LDAP Servers 

fiV LDAP Servers can be used for JSS authehtlcatiion and inventory 

MB Daiabase/Web Application Health 

■■ Check the database status/Integrity and Web Application usage 

Inventory Options 

Flush Database Logs 

S* ^Ljsh old logs and reports from the database 

^ inventorv Options 

Configure options for baventory 

Mass Edit 

Network Organization 

Jgjk Move Locations/Serven 

T Rpilding. Depafunent. File Server, SWU Server. Neiboot Server 

ButMthgs 

Rutidings for organizing imrentory 

* Autorun Qata 

Change Autorun Data for a group of computers 

i Departments 

X X Departments for organizing inventory 

Add SSH Accounts 

Add SSH account records to currenfly unmanaged computers 

Network Segments 

For scanning the network, astlgrting servers and scoping 

. f Edit SSH Accounts 

4iY. Edit account records to currently managed computers 


Fig 10, the Admin section of the JSS web browser. 
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Powerful. 


Easy. Fast. 

Get the complete essentials to run Windows on a Mac - 
including $175 in premium software. 



With Parallels Desktop*4.0 for Mac you can: 


^ Protect and manage Windows with the 
finest Internet security, data protection 
and disk management software 
available a $176 premium value, 

• Run Windows up to 50% faster with 
an updated virtualization engine. 

• Optimize performance as you move 
between Windows and Mac with an 
adaptive hypervisor. 


• Extend your Mac's battery life by up 
to 20% with virtual machine power 
management. 

• Set USB device preferences and share 
removable storage between Windows 
and Mac with SmartX Technologies. 

• Virtualize Mac OS X Server, Linux 
and various versions of Windows - 
including Windows 7 Beta. 
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mODUCTS 

of 20ij7 


Want to run Windows on a Mac without rebooting? Then look no further than Parallels Desktop* 4.0 
for Mac. With over 50+ groundbreaking features and capabilities than previous vetsions, ifs no wonder 
it was recently reamed Best Desktop Virtualization for Mac in InfoWorld's 2009 Technoiogy of the Year 
awards. Trusted by over 1.500,000 users worldwide. Parallels Desktop" 4.0 for Mac is the best selling, 
top rated and most trusted Mac system utility available. 

Wbrried about security and backups? Need better Windows and Mac OS X integration? Want the ability 
to run PC games and 3D software? Only Pafaliets Desktop* 4.0 for Mac gives you everything you need 
to mn Windows on a Mac. To discover why Parallels Desktop^ for Mac is the best desktop virtualization 
solution for running Windows, Unux and more on a Mac, visit us online or call us at 1 (425> 282'6405, 


II Parallels 

Computing 


Check out the demo and download a FREE fully-functlonal 15-day trial today at www.paraNels.com/desktop/ 


Website - www.parallels.com Email “ sales@parallels.com 


Phone-1 (425)282-6405 






























MaiiAqeni«jit Framework 


Cofnruitcr Marutgement 
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PolKies 

OiEdie antJ modify PdiUcJei to muoage your computers 
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PreSuge imaging 

Automate tfie imaging of new computers 


( 5 ^ Restrlned Software 

^ Specify applications that should rtot be allowed to njn 


CoAiptiter Croups 


a 


SiTvarr Computer Croups 

Smart groups are updated BUtomaticaliv as invemory changes 


© Static Computer Groups 

Stark: groups of Computers 


* Casper Admen 

Manage packages, scripts, primers and configurations 
i ’ Man age men! Preferences 

^ Preferences regarding how computers should be managed 

Q Self Service Pneferentes 

Preferences regarding how the Self Service application behaves 


© Scheduled Tasks 

Timed events that trigger acPons on managed computers 



Active Directory Slndtngs 

Specify AO inronmatlon to automate binding 


Servers 




CHitribuflon Faints 

Configure servers used to deploy pacEtages 


Software Update Servers 

\rm Software Update Servers for deploying updates 
1^1 Boot Servers 

^ Servers that computers can use ai startup disks 


Fig 11, the Management section of the JSS web browser. 


Step 1, Create a DMG of an OS installation disk, this can 
be done using Composer, 



Fig U, Composer 7, creating an 05 DMG from an install 

DVD. 


Step 2, Use Caspei's Netinstall Creator with the following 
details: 

i I 



Fig 13, Casper Netinstall Creator. 


Set the “Path to Image source” to the DMG you created. 

Give it an Image name and Index, using a high index 
number for load balancing Netboot servers. 

Choose Enable / Default. 

Browse to the Casper Imaging App on your Mac, this will 
then be added to the Netinstall image. 

Tick ''Create Casper Preference File” and enter the servers 
DNS. 

Click Create 

Step 3t Upload and activate on the NetBool Server 

When you boot yf)ur clients from this Netinstall image, it 
will launch the Casper Imaging App from within the image 
using the DNS you gave, this will then connect to the JSS to 
gather imaging details (called Autorun) about this client. If the 
client is already known to the JSS then the rest of the 
deployment will be automated. 

Conclusion 

'Hiis concludes the .setting up of the server tools and we 
are now ready to begin adding die clients and deployment 
content. This w ill he covered in Part 2. The server required for 
running the Casper Suite can be as basic as a Mac Mini hut to 
enalile large scale deployment of a large amount of Data then 
an Xserve wcjuld be recommended. For Larger networks then 
Mac Mini's could be used as additional Distribution Points in 
various locations across the network, these would then help to 
deliver content more quickly Uian from fine central location. 

WW 
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[ Download free trials of TestTfack Pro, "I 
TestTrack TCIVl, and Surround SCM at: I 

www.seapine.com/mactech J 
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Seapine ALM solutions 

for serious Mac OS X development 

stay on track with Seapine's Mac OS X-native development tools. Designed for the most demanding software 
development environments, Seapine's Mac OS X-native application lifecycle management (ALM) solutions are scalable, 
feature rich, team-based tools that can be used separately for superior issue tracking, test case management, and software 
configuration management-or seamlessly integrated for more efficient control of your software development process. 


TestTrack Pro 
Issue & Defect Management 

• Track defects, change requests, feature 
requests, and other project-related issues, 

■ Tailor workflows, including events, states, 
and transitions, to your development 
process. 

• Stay informed and on track with flexible 
reports, email notifications, and 
escalation rules. 

■ Create and link defects with failed test 
runs in TestTrack TCM for better 
traceability, 

• Link defecb and change requests to 
source code changes in Surround SCM 
and other SCM tools. 


TestTrack TCM 
Test Case Planning & Tracking 

• Manage thousands of test cases, select 
sets of tests to run against builds, and 
process the pass/fail results using your 
development workflow. 

• Ensure all steps are executed, and in the 
same order, for more consistent testing. 

• Know instantly which test cases have 
been executed, what your coverage is 
and how much testing remains. 

• Track test case execution times to more 
accurately estimate the time required to 
test applications. 


Surround SCM 

Configuration Management 

• Control who changes source files, and 
track what has changed and when, 

• Leverage file-level workflow to track and 
manage the state of individual files. 

• Facilitate parallel development with 
advanced virtual branching, private 
branches, and workflows. 

• Notify team members of new files, 
assignments, and changes by email, 

• Quickly access the latest files with 
shadow folders, hyperlinks, and Finder 
integration. 


% Seapine Software" 





TestTrack^ Pro TestTrack^ TCM TestTrack'Studio Surround SCM^ Seapine CM® QA Wizard® Pro 

Issue Management Test Case Management Test Planning & Tracking Configuration Management Change Management Automated Testing 






Demystifying PKi-Part 2 

A Series of Articies and How-Tos about PKi 
technology in the OS X environment 


By Michele (Mike) Hjorleifsson 


Keychain Access 


__ File Edit View Window Help 

About Keycham Access i 

Preferences.., | 

Kevchain First Aid X&gA 


Certifitati Assistant 


Open, 


Part Two: Establishing your own 
Standalone CA 

Last month we traveled the 
road of histoiy reviewing wliere PKI 
came from, what it is and how ii is 
used. Til is month, let’s dive into 
what we can use PKI for on a daily 
basis and then wee'll set up our own 
standalone Certificate Authority 
(CA) and start cranking out some 
certificates of our own. 

Issuing SSL certificates to 
protect websites, e-mail, iChat, iCal 
and other OS X services is proliably 
the most popLilar use for PKI on the OS X piaiform. Yet, 
there are some other interesting uses you 11 want to know 
about. Digital signing has become a more popular use of 
PKI so it's worth mentioning in this context. If you have 
ever downloaded an ISO file or manually downloaded an 
update from Apple, you have probably seen either an MD- 
5 or SllA'l hash that is associated with ihe download. The 
hash provides a sanity check to ensure you downloaded the 
entire file pr{)perly and in tact. The concept behind digital 
,signing is similar lo prtwiding this hash with one caveat; it 
uses your per.s{)nal certificate as part of the generation 
process so that the signature is specific to you. Tliis is the 
smoke behind the niirrors on digital signing. 

Mac OS X Leopard provides an application for 
administrators to create a CA and provide some basic 
functionality utilizing OpenSSL via a little known and 
somewhat hidden GUI application called Certificate 
Assistant. In the following section, we will create a CA and 
then generate a self-signed certificate that can be used for 
several of the Mac OS X server-provided services. 

From Finder, press Command+Shift+U to open tlie 
Utilities folder (a sub-folder of your Applications folderj. 
Select and then open the Keychain Access application. 


Xl>5gK Create a Certificate,. 


Create a Certificate Authority,,, 


Create a Certificate For Someorte Else as a Certificate Authority.., 
Request a Certificate From a Certificate Authority..* 

X jgH default Certificate Authority,,. 

Evaluate ' *.. 

From the Keychain Access menu, select Certificate 
Assistant and then choose Create a Certificate Authority, 
The Certificate Assistant Application launches and then 
prompts you to enter some basic information about die CA you 
want to create. Enter tiae name of the CA. For Type,' select Self 
Signed Root CA. Make sure the Let me override defaults box 
is checked. 

Click Continue to proceed to the next dialc^g liox. 


Crt«l» CfrrtlflfAtii Autheinlr 

1 

PlHU fjMiily a nuM Inr yftui iTarUllul* AdIPtbritr j 

*T,p ^ ^ Mib * 

IM liH fn Vt4r<l4l HwMl.' 

Type Mr RfiOi ^ 

m 

M i«l «H 



iMKiliwn fw*9tu}nt)i« c»flt 


■ iMrt M(U« 





Kerberos Ticket Viewer 
Services 

Hide Keychain Access 

Hide Others 

Shi 
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Aimurn 


Enter an arbitraiy, unique serial number and a validity 
period. Mac OS X remembers certificate serial numbers and 
rejects a new certificate with the same serial number as a 
previous certificate (coming from die same audioriiy, diat Ls). 
Make sure you keep track of serial numliers. The User 
Certificate Type must be set to SSL Server. The other settings 
are for generating a pretty CA web page to let people make 
certificate requests for your new^ authority (you may want to 
use that), and to sign your cenificate invitation. 


ncy Pair ihformiikiTt For Th^i CA 

Sptcl% IJW ktif iif« iiHJiwnVn i4mMI to rrMtt vftw# 

CMt* fm ilh#c«mfkalt Aaiiwity. 

Tfie key f( nud* up gl fwr end ^bUc THi I 

lirkMla iwy h urntt pfrt cif pwr mhfiuM bi 

k«pt I | 

grib«(iml«jl iciTflkati. . 



~ia 


HA 

m 


# _CtfCiFkatr 

C4rtiftc4t4 Infdrmittwi 

iMw r#rtiA£«i(! n^muion btlow 


SflfikJ Humlbtr 

i 


VAIliHy 

MlM rnm tMl^r, 11 11 

VAhiT« U 


tyiM 




aMit« CA wwb Ilf 



ffw iiMtIion 



J f CowtIiwO 


Enter the basic contact information for the CA 
certificate. ITie Name (Common Name) field doesn’t have 
to be a valid domain name, since the CA certificate won’t be 
used by any server, but it is good practice to provide 
accurate information especially if you will be providing 
services to individuals outside of your internal organization. 
The email address entered is presented when someone 
looks at the details of the certificate and wants to pose a 
question to the owner of the certificate or certificate 
authority. 


The CA eertific’ate must have a Key Usage Extension witli 
at least the Signature and Certificate Signing capability boxes 
checked. If either one of those capabilities are not specified, 
browsers and client applicatioas will reject any child certificate 
(the certificates you create for your specific servers or services) 
of the CA certificate. 




Key tliapt Liilenilon Fcf Thti CA 

tbfl Key UUgc of CA'l c«rtrficatt 

41 wumycapubitlciat Sfkpd insM^ Key UMgi tyteniiofi 
to t« tb# w 4 U 4 t)i« vttf y«iKt wbicb arm tbf 

ctrfilkM proirhbi 
H h^dudc Kiev UMpe Eicle»i4b>n 


bl CnOACHt bfleurtg 
C]0. i itw eit 




The next screen presents tiptions for the key pair 
cryptography elements such as the size of the key and the 
algorithm used to create the key. The defaults are acceptable 
since 204H bit keys are considered un-hackable and RSA is 
the most common algorithm in use today. 


Next, specify tlie default key usage exteasion settings for 
any leaf certificate (also called a sub-certificate) created wiili the 
CA certificate as the root. SSL server certific'ates must have at 
least the Key Encipherment and Key Agreement capability 
boxes checked. If either one of those capabilities is not 
checked, services and browsers will reject the certificate. 
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Although documentation suggests this may not be 
necessaryj giving the CA certificate an extended key usage 
extension with at least the SSL Server Authentication 
capability bit set has no serious consequences and provides 
additional insurance that browsers will be happy. Note that the 
default value is Alt^ which provides more flexibility for you to 
issue certificates specifically for services assigned to dedicated 
servers (such as Mail). 

Cj(tend«<i Kev Usage Extension For This CA 

ForiMs Certificate Aiithoffty, ttleet tncludt Extended iCey 
Utage Extension to see iN evaiUrble options Aitd specify 
wtuch ones the CA certificate will use* 

^Include Extended Key l/tage Extension 
i Thus Ikcmxjj 

Cap^L: biicf 

M Any ' Clm Sig^infl 

m CiteTH rtNw intfYp^ 

M SSi ierw Ai/ttKjntkJClen Mit tnMil 

Cod# Si^rfoe «4t Encrypt ion 

hOAH C<*#nt AuthfrHkcetton ‘ An^Wfiiem 

eXPtfT l#nref AuthenttCiMon 

: Lmth More 

Co iftclt Continue " 

Hiough the following screen may look the same as its 
predecessor^ there is a pur[>ose for the seeming redundancy. 
These options apply to the leaf or sub-certificates issued by the 
CA and what they should be allowed to do. You are setting 
permissions for the issued certificates coming from your 
certificate authority. Using Any is fine, but at a minimum you 
will want to employ SSL Server Authentication, the most 
common use for the certificates you issue. 


Ext«nd«d Key LTfagt Extension For Utorm of This CA j 

for tht u««r who r*qu«ii CirtlhcAtat from thlt CA, sdtcl 

Exiendfd Kty Uk 4 iq« Exttntipn to %n th« avtiftblt QpiiorH 
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Hie CA certificate must have a basic constraints extension 
witli at least the Use this certificate as a certificate authority 
option specified. If it does not, client browsers and client side 
applications will reject any child certificate of the CA certificate 
and our entire exercise was for naught. 
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The main title <HI> has been converted to a 
photofont that is consistent iwith the desired 
Look and feel of the site. With photofonts 
designers can take advantage of gradients, 
transparency, colors, shadows and more! 

Until now, web designers had to settle for Arial, 
Georgia or some other "safe" font to make sure 
the overall design of the page Looked 
consistent. With Photofont WebReady 
designers can use the most suitable font for 
each project. 



Photofont WebReady allows you to enhance your web pages with fonts of your own choice in a search engine friendly, 
standards-com pliant way. With Photofont WebReady, you can convert any photofont, OpenType font or TrueType font 
into an embedded web font The web font is then rendered on your web page using Flash® technology, yet keeping all the 
advantages of standard hypertext. Your visitors see the page the way you want them to see it, and search engines see it 
the way you want them to se it. 

Learn more about Photofont WebReady and photofonts at http://www.photofont.com/photofont/webready/ 
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This step, though it seems redimcknt, specifies default 
basic constraints extension settings for any leaf or sul> 
certificate created with the CA cenificate as the root. SSL server 
certificates must not have die Use this certificate as a certificate 
authority option specified (while having a basic constraint.s 
extension). If the extension is missing or that optic}n Ls 
specified, sendees and client applicatioas will reject the 
certificate. 
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Any certificate with the SSL Server type must have a subject 
alternate name extension specilydng either the d NS Name field or 
the iPAddress field. Obviously, there are no special constraints 
on the value of eitlier of diose fields for the CA certificate. 
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We believe that hosting should be simple. You deserve a worry free experience that exceeds your expectations So, 
it's a good thing that the FMGateway team consists of FileMaker hosting and web publishing experts. Our team has 
over 30 years of combined experience, are published authors and are highly r^arded in the FileMaker community.'” 
Trust your hosting to a company that has developed over 450 FileMaker websites over the past 10 years. 

All FMGateway customers receive an online virtual tool kit that makes FileMaker hosting even easier. Our browser 
based database manager enables you to completely control your hosted database. Our new Instant Web Publishing 
tool enables you to quickly create custom login pages when you need that professional look. Want to learn more 
about FileMaker hosting or web publishing? Perhaps you want to learn more about Search Engine Optimization or 
blogging Our members only learning center provides you with free resources and professional articles - there for 
you when you are ready to grow 
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Again, any certificate with the SSL Server type must 
have a subject alternate name extension specifying either 
the dNSName field or die iPAddress field, llie value of 
those fields must match the domain name or IP address 
which ciienis will use to contact SSL servers using any child 
certificate of the CA certificate. Obviously, we will have to 
override this value when creating each such child certificate 
unless we’re creating them for the same server all the time. 
Nevertheless, Certificate Assistant requires a value to be 
specified to continue, so provide a reasonable default. 



Select the keychain in which the CA certificate will be 
stored. If you want browsers using Keychain Services to 
accept child certificates of the CA certificate, check the On this 
machine, trust certificates signed by this CA box. Note that, 
as the label implies, this affects the trust setting for the CA 
certificate for the entire machine, not just your specific system 
user, Coasider the consequences of that choice carefully. It is 
possible to change uust settings on a per user basis. 
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We can finally appreciate the fruit of our labor Uouble- 
clicking the CA certificate in Keychain Access will allow 
you to confirm that all the required settings, optioas and 
capabilities are properly configured. 
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Now that we have a valid CA creating certificates for our 
w^eb and other services, we see that utilizing the CA is pretty 
easy. I will not repeat the entire sequence of operations 
presented for the CA certificate, but rather focus on the 
steps that are specific to the creation of an SSL serv^er leaf 
certificate. Keep in mind that the various restrictions 
mentioned above concerned leaf certificates since we have 
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to override the default values we specified during the 
creation of the CA certificate, Certificate Assistant does not 
fill in those defaults. 

From the Keychain Access application, choo.se the 
Create a Certificate command from the Certificate 
Assistant menu. 
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Enter the domain name that clients will use to access 
the SSL server as the certificate's name. For Type, choose 
Leah Check the Let me override defaults box to edit some 
of the certificate's settings we specified earlier. 
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Enter a serial numlier different from the CA certificate and 
different from any other leaf certificate you have already 
created, even if tliey were for die same domain. Applications 
check and keep rnick of certificate serial numbers. Certificates 
with identical serial numbers are rejected. Also make sure that 
die Certificate Type is set to SSL Server, otherwise applications 
may reject the certificate. 
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Select the CA certificate created earlier. 
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SSL server certificates must have a basic constraints 
extension Vk^ith the Use this certificate as a certificate authority 
option disabled. 
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SSL server certificates must have a key usage extension 
with the Key Encipherment and Key Agreement boxes 
checked. If they are not enabled, applications may reject the 
certificate. 
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SSL server certificates must liave an extended key usage 
extension witli, niinimaily, the SSL Server Authentication 
check box set. if it is not, browsers and other applications may 
reject the certificate. 
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SSL server certificates must have a suj)ject alternate name 
extension w'itli either the dNSName field or the iPAddress field 
specified. The values for those fields should match what clients 
will use to ct>nnect to the SSL seiven In order words, the value 
for the dNSName field should match the value of the Name 
(Common Name) field of the certificate (specified the 
Certificate Information dialog box) and the value iPAddress 
field should match the IP address to which the dNSName 
domain resolves, 
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We can once more appreciate the fruit of our labor 
Double-clicking the certificate in Keychain Access will 
allow you to confirm that all the required settings, options 
and capabilities are properly configured. 

We can now install this certificate onto our Mac OS X 
Server and use it for Web, iChat, iCaf Open Directory or any 
number of services. 
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Now, while this may seem like a ton of work to get an 
SSL certificate, keep in mind that you will typically create 
the CA once cm a standakme, preferably non-network 
connected machine and then issue and copy the SSL 
certificates as you need them when deploying servers or 
additional services. Why would you want this machine off 
the network you ask? Well, simple my dear Watson. If 
someone gets hold of your root keys or can get onto the CA 
machine they can issue certificates all day long and create 
bogus websites with security certificates in your 
organization’s name—not a good thing. We will dive a little 
deeper into this concept in later articles when w^e discuss 
additional methods of protecting root keys and offloading 
cryptographic processing to a hardware security module 
(HSM). 

Digital Signing 

Digital signing has become a hot topic in today’s 
information technology circles. So what does digital signing 
mean exactly? There are three main types of digital 
signatures: one that is inclusive of the content; one that is 
separated from the content; and tlie third which is a digest 
or ^'hash” of the content. 

For instance, when you manually download an Apple 
Update from the Apple website you will notice a line with 
SHAl = xxxxx^ This represents a digital “hash'' for the 
download that is used to check the integrity of the 
dow nioaded file ensuring no one has tampered with a single 
bit of it. Here’s a real life example. 

Go to http://support.apple.com/downloads/ 
iTunes_S_l_l _for_Window& and download the file. 

Take note of the 

SHA^cad92e6882b5fb49d710d342f315d7d6293e2b0a at the 
bottom of the description. Once you have downloaded the 
file you can open a terminal and type: 


openssl shal ITunesSll.dmg 

The following is returned if the file has been 
downloaded intact and matches the file created by the 
signer. This is an example of a separate signature, signing: 

SHAl(ITunesSll.dmg)= 
[iad92e6B82b5fb49d710d342f315d7d6293e2b0a 

Another example of a digital signature is digitally 
signing email. Most users are unaware that it is extremely 
simple to Ibrge an email from one party to another without 
the receiving party being aware of the forgery. Detecting the 
forgery would require the help of a forensic administrator or 
a savvy IT administrator. Digitally signing an email ensures 
that the message originated from the person in the from 
field by using something called S/MIME or, secure mime 
(Multipurpose Internet Mail Extensions), which puts a 
signature derived from your personal certificate into the 
headers of the email. If the email is tampered with in any 
fashion the signature is invalidated and most email programs 
w'ill display an X or some other visual indicator to uShow the 
mail has been tampered with. 'I'his is a common example of 
an inclusive signature. 

Installing this type of signature is pretty simple. You can 
issue a personal certificate from the CA you created above 
and double click it to put the certificate into your login 
keychain. Double click on it and “Always-Trust” the 
certificate for email. Be sure that the certificate’s email 
contact matches your “from” address. Apple Mail will auto¬ 
magically change its compo.se pane to give you a check 
mark and lock icon bdow the subject on the righi allowing 
you to sign and encrypt an email. That’s ail there is to it for 
signing. For encryption, .since that is a little more involved, 
you need to send a signed email to your desired recipient 
and they need to send you one. Once the both of you 
double click and accept the other one’s certificates, you can 
send each other encrypted emails that only the two of you 
and the root CA can open (because they can store your 
private certificate). 

Digitally signing dt)cuments is gaining in popularity. 
The most popular applications that provide this capability 
are Adobe Acrobat for creating PDFs, and OpenOffice. 
Unfortunately Miero.sofi Office 2008 does not provide this 
functionality, while its Window's counterpart does, we can 
only hope the next revi.sion will or someone will write a 
utility for injecling a certificate into Office 2008 documents. 
And sadly Apple’s Preview is not currently signature aware 
either at the time I wrote this article. 

Why sign a PDF or other document? Glad you a^ked. In 
48 states, digital signatures of varying types are actually 
considered legal signatures. That's right, you can even sign 
your tax returns with a digital signature and put that pen 
away. The IPS has to accept it (if it meets some basic 
criteria). An even more obvious use of digital signatures in 
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these types of documents is to make them tamper evident. 
Once you sign a document if anyone tampers with its 
contents at all it will '"break” the signature. Why ''break” vs. 
break? Well, it doesn't actually ruin anything. It just becomes 
quite evident via one or more visual indicators that the 
document was tampered with. Again we come hack around 
to the question of why digitally sign a document? A couple 
of examples of documents you may want to digitally sign 
are legal contracts, financial documents, documents 
containing personal identification (more on this later), 
basically any document you want to ensure no one touches 
before it reaches the desired recipient. 

Going Forward 

While the simple CA installation routine above works 
well for smaller environments, it does not scale well. And, 
more importantly, it does not provide some key features an 
administrator would want to implement in a larger 
environment. 

For instance, say you issued a certificate for a user to 
sign and encr>^pi tlieir email. Later, that user has moved on 
to another company. How do you ensure the user isn't still 
using that certificate to sign emails as authentic your 
company emails? This is a key component in a certificate 
system and it is called revocation. 

Certificate revocation is typically performed in one of 
two w^ays. Certificate revocation lists (CRLs) are the 
traditional way of maintaining a list of w'hich certificates are 
no longer valid. CRLs were provided or distributed to 
resources that validated the certificates. This method proved 
a bit inefficient and validation occurred “offline” ,so a newer 
technology called Online Certificate Status Protocol fOCSP) 
was developed to allow for online validation and revocation 
of certificates in a more dynamic environment. 

Additionally, in larger environments, you may be 
issuing various types of certificates, and may want to allow 
other administrators to create SSL certificates for their own 
internal servers, let users register and create their own email 
certificates and so on. Offloading some of the administrative 
burden makes the system more efficient. In next month's 
installment, we explore enterprise grade CA choices and a 
great choice for deploying enterprise certificate authority 
services in an Apple Mac OS X environment. 


\\\\ 
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Simone Manganelli Continued from p. 80 

I ato have a cool nw weblogging app in development that 
works both on the Mac and on the iPhone. I don’t know when 
those will be released, but IVe been using a lot of new tech in Mac 
OS X that I hadn’t yet been able to use in other projects, and ifs 
my first iPhone project as well I already publish my own weblog 
using my own app, so it's already very functional I can’t wait until 
1 can do the same witli an iPhone app. 

Where can we see a sample of your work? 

My apps: http://fK)mepage*fTKK.com/si^ 

My weblog (I post Miic programming tips, opinion, and 
development progress): 

h!tp://hornepcige.macxom/sinWtechrionova/index.h^ 

D2X-XL: hHp://ctescent2,de/ 

opentyrian; http://code.google.conri/p/opentyrian/ 

ClickToFlash: http://github.ccjnri/fenlzsch/dicldoBash/tree/master 

Hie next way Tin going to impaa IT/OS X/lhe Mac universe is: 

Well, I hope to fulfill a niche with my weblogging apps when 
I finally release them. But I’m also hoping to create some apps 
specifically for geologists, too; I have some ideas tor apps that 
would be useful out in tlie field, and 1 don't tliink fve seen a single 
geology app on tlie iPhone at all. 

Photo credit: Faruk Atefl 11 
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THE MACTECH SPOTLIGHT 

Simone 

Mangonelli 

hllp://homepage. mac.com/simx/ 

Do you woik for a company or are you self-employed’ 

EUipsb Productions, that's the name of my soft\?s^are company 

What do you do? 

My atain '‘job" Ls l^ing a geok>g>' grad student at Stanford 
University, 1 do work in the field of volcanolog)^ and 
ge(x:lironolog\^; my airrent project is working on a new lab 
technique to eKtiuct gases from rock ssimples for Argon radiometric 
age dating. This is where ] spend most of my time. 

In temis of Mac OS X development, though, I make niche 
Ctxroa apjDS diat fulfill pretty spec'ific needs that 1 have 
for myself and then I telease them publicly in 
ho|ies tiiat otlier people have similar 
needs and will benefit fn)m those 
same apps. 1 ;lLso Lissisi in tlie 
porting of a couple of games 
to Mac OS X, and Tin ;m 
active developer lor a Sakiri 
I’jrowser plugin called 
ClickToFlash. 

How long have you been 
doing what you dc^ 

I've lieen a grad student in 
geolc^gy for almost three years now, and 
I've |■)een doing Mac OS X development since 
2002, I actually got started witli AtipleScript Studio. Td 
lieen mc;denitely experienced in AppleScript since the Chtssic Mac 
OS days, and since AppleScript survived the Mac OS X transition, I 
figured tliat would lie the best w'ay to start making actual apps, I 
quickly ran up against perfomiance pn)blems with AppleScript 
Saidio, tliougli, :uid decided tliat I might as well learn Ccxoa 
programming. After picking up Aaron Millegass’ awesome ‘‘Oxoa 
Programming for Mac OS X" Ixxik and gt>ing tJirnugh mcxsi of the 
exiimples, I liad a good foundation to start creating CtXTra apps. 


First computer 1 programmed on? A Mac llsi. My dad liad a 
book of pre-made programs in THINK Pascal (you know, that aazy 
programming language tliat .71 for its filename extensions?), 
and I dutifully reproduced tlie ctxle from the lxx)k by retyping it 
line by line into the ctimpuier, and then spent houn> trying to figure 
out where I misplaced a semicolon or ?«>metliing. I think one of 
the programs was a racecar moving around a track, 1 was so 
excited as an 8-or-so-year-old kid to be doing .sometlairtg like tliac 
First computer that I helped purchase tliat nolx:dy else used? 
The original bondi lilue iMac. I still a^member tlie new box smelt 
after first setting it up, I think its ,still going ,strong at the schcxil 
where my ckid works. 

Are you Mac-only, or a multi-platform person? 

Macnanly I can survive on Window^s and Linux if necessary' 
(and for working down in the Argon lab at Stanford, it is necessary, 
unfottunately). But I mainly live in Mac OS X and exclusively 
program for it. 1 have some experience in web progmmming too; 
IVe created some web apps in perl and have programmed with 
JavaScript, too. 


exposes ym to new^ frameworks and technicfues, and .sometimes 
you can help out by improving little things and mntributing back 
to tile project. Vv^ done this with D2X-XL (I helped improve the 
OS X pt)rt of the old Descent games), opentyrian {I created the ^!ac 
OS X port), and ClickToFlasli (fve helped add a numl')er of featu^t^s 
to the plugin). Its eduoitiona! *and* very iwarding. It also 
alk)w.s you to fbais on aspects of programming tliat you like. 



What is the advice you'd give to 
someone trying to get into this line 
of work today? 

First, dowmioad the free 
OS X developer tools. 
Second, get Hillegass' 
TtKoa Progmmming for 
Mac OS X" book. 1 can 
think of no better Ixxjk that 
teaches gocxl Cocoa 
programming practices and 
introduces Cocoa pmgmmming to 
noviceiJ. 

Tliird, ifs alw^ays valuable to gain 
experieno? liy downloading opemsource .sofMre and 
tinkering with it. You get to .see liow^ otliers program, which 


Your first computer: 

Tliat depends on what you mean by “my" first computer. Tlie 
first compuier 1 ever toucrlied’ I w^s probably two years old wJien 
my dad was learning to pn^ram, and he had an old Sinclair ZX81 
dial attached to a TV which he used to program. (1 think 1 ended 
up banging too hard on it and breaking it, ) 

First computer I actually knew how to usd* A Mac Plus. 1 
rememlxfr mostly playing games on it, like Dark Castle and Beyond 
Dark Castle. (Still a fan of diase games, by die way, and die 
recently-released direequel Remrn to Dark Casde is pretty 
excellent, too.) 


Whafs the cooler tech thing youVe done using OS X? 

1 think TuneTagger is probably the ccxilest app fve done so 
far. It w'as challenging honi a 111 perspective l^ecause the app 
needed to stay out of the way incest of the time, but still be 
understandable and u.seful to die user. I still don't think I've gotten 
it quite riglit, but it’s most of die way there. 

1 *do^ get pretty exdted alxxit adding l^tures to ClickToFLash, 
loo, thougli. It’s really awesome to liave almost all of die Cocoa 
programming frameworks available to you in a Safari plugin. It's 
also probably die project diat has die most widespread use t>f any 
work diat Fve done. 

Continued on p. 78 
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STILL NEED TO FIND THAT PERTECT GIFT? ITS NOT LOO LATE! 

DADS & dMii 

Smalldog.com/fathersday Smalldog.com/graduation 

Small Dog Electronics has over 3,000 potential gifts in stock, so you're sure to 
find that perfect something. Plus, we offer: 

» Free shipping on purchases over $200 
» Mac bundles and tax-free shopping 
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from $199,991 (Save $100) 
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»iPod specials from $159.99 


» Brand new Flip Ultra Camcorders 
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4 colors/models from $149.99 


Plus, MacBooks from $899 and BRAND NEW notebooks from $1199! 
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• 3,000+ products for Macs + PCs 

• 5-star online merchant ratind 

• tax-free shoppind outside ol vr 

V Apple Specialist 
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www.smalldog.com 
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backup and recovery software for 
small and medium businesses 
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name in 
Mac 
backup 


Now available for PowerPC & Intel Macs! 

Allmew EMC Retrospect 8 for Macintosh provides the reliability, ease of use, power, i 

and flexibility you need to protect critical data on Mac and Windows PCs and servers. 

EMC Retrospect includes a state-of-the-art Mac user interface and enterprise-level 
features —• including remote management of one or more backup servers, 
disk-to-disk-to-anyt/i/ng backups, Xsan support and custom reporting — at a fraction of 
the cost of other products. 

Download a free 45-day trial at www.retrospecAjuim/vwflrde _— ElVICf 
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